In this article
To maintain reliable DNS filtering and network visibility, DNSFilter blocks DNS destinations that bypass policy enforcement. These domains return an NXDOMAIN response when queried.
This behavior most commonly impacts:
- Apple iCloud Private Relay
- Mozilla’s encrypted DNS signaling domain
Why these domains are blocked
Some privacy features encrypt DNS queries or route traffic through relay networks, which prevents DNSFilter from applying policy controls. This can result in:
- Broken or partial website loads
- Filter evasion and policy gaps
- Reduced visibility into browsing activity
Domains that return NXDOMAIN
DNSFilter blocks the following domains by returning NXDOMAIN:
mask.icloud.commask-h2.icloud.comuse-application-dns.net
Reduce Apple privacy-related connectivity issues
If inconsistent browsing behavior occurs on macOS or iOS devices, confirm that the following Apple privacy settings are disabled:
- Disable Limit IP Address Tracking for the Wi-Fi network
- Update Safari settings to avoid hiding IP addresses
- Disable Mail Privacy Protection
These settings may still appear enabled on the device, but DNSFilter blocks related traffic. Disabling them manually can reduce device warnings and end-user confusion.
MDM resolution
Many MDM solutions support disabling or restricting these Apple settings. Reference MDM provider documentation for configuration steps. Jamf provides guidance for restricting iCloud Private Relay on iOS and macOS devices.
Optional: Request changes through Support
This behavior can be modified by submitting a request to the Support Team by email.
Comments
0 comments
Please sign in to leave a comment.