To ensure reliable DNS filtering and maintain network visibility, DNSFilter automatically blocks Apple’s iCloud Private Relay. This feature routes traffic through Apple’s relay network, bypassing DNSFilter, preventing policy enforcement. Because it disrupts DNS resolution and introduces security risks, iCloud Private Relay cannot be allowed or bypassed within our system.

Why It’s Blocked

iCloud Private Relay was designed to obscure user IP addresses and encrypt DNS queries, which prevents DNSFilter from inspecting or applying policies to traffic. This results in:

• Broken or partial website loads
• Filter evasion and policy gaps
• Loss of visibility into user browsing activity

To protect your network integrity, DNSFilter actively prevents iCloud Private Relay traffic from resolving these four domains:

• mask.icloud.com
• mask-h2.icloud.com

Additional steps to prevent website errors on Apple device

If you're seeing inconsistent behavior on macOS or iOS devices, we recommend confirming that the following Apple privacy settings are disabled:

• Turn off Limit IP Address Tracking for any Wi-Fi networks
• Update Safari to not hide IP addresses
• Remove Privacy Protection in Mail settings

These settings may still appear enabled on the device, but DNSFilter will block related traffic. Disabling them manually can reduce confusion or compatibility warnings at the device level.

MDM resolution

Many MDM softwares provide steps to disable or restrict these Apple settings. Consult your provider's support documentation for details. Here is an example troubleshooting guide from Jamf to restrict the iCloud Private Relay on both iOS and macOS devices.