Upon the recent implementation of iOS 15+, Apple has started to utilize a private relay which could be used to bypass our solution. As this is the case, we have categorized mask.icloud.com and mask-h2.icloud.com as Proxy & Filter Avoidance. As such, if this threat category were turned on, these domains would be blocked and prevent any bypass. This can cause issues as the end user wouldn't receive the blocked page since the private relay activates if a successful DNS response is received. This would sometimes cause the Safari web browser and other applications on iOS to have issues.
However, we are now returning with an NXDOMAIN response, which means DNS resolution will never reach those relays. As per Apple's article here, this is the preferred response to avoid any issues. This will allow Safari and other iOS applications to function correctly without any worries. With this now our default response to these domains, it will display a message that private relay is turned off for this specific network if you drill down to the Private Relay setting. Nothing needs to be done from your side, but please know this is how we are responding to these requests in the future! Please see the below images for what it shows on iOS and macOS.