In this article
Use this article to block Apple's iCloud Private Relay from being able to bypass DNSFilter.
As of iOS 15, iPadOS 15, and macOS Monterey, Apple began to utilize a private relay which could be used to bypass DNSFilter.
The DNSFilter team isolated four domains associated with the Private Relay:
- mask.icloud.com - mask-h2.icloud.com - mask-api.icloud.com - mask.apple-dns.net
How to block the Private Relay
There are two Filtering Policy options that can prevent any bypass:
Block the Proxy & Filter Avoidance category. The domains associated with the iCloud Private Relay are categorized as Proxy & Filtering Avoidance, so blocking this category will block the domains.
DNSFilter implemented an NXDOMAIN response for these domains so DNS resolution will never reach those relays. As per Apple's help article this is the preferred response to avoid issues. The NXDOMAIN response allows Safari and other applications to function correctly without any worries.
Block Apple iCloud Private Relay via AppAware. Admins can block the application from AppAware under VPN and Proxy.
As the default response to these domains, Apple devices will display a message that Private Relay is turned off for this specific network when viewing the Private Relay setting. No action is required. See the below images for what it shows on iOS and macOS.
Comments
0 comments
Article is closed for comments.