Jump to content
Not connected, Your IP: 3.147.86.246
benfitita

Ability to disable Apple iCloud Private Relay

Recommended Posts

I'd like to be able to reliably block Apple iCloud Private Relay. According to the documentation, that can be done by replying NXDOMAIN to queries about the following hosts:

mask.icloud.com
mask-h2.icloud.com
This seems to be similar to the existing "use-application-dns.net Canary Domain" feature.

Would it be possible to either:
1. Add a toogle in Client Area -> DNS to disable Apple iCloud Private Relay, like the existing one for the Canary Domain?
2. Add ability to create custom DNS entries that return NXDOMAIN.

Share this post


Link to post

It's already possible. This screenshot will give you an idea.

image.thumb.png.8d15c8b33a537f35e574b77e73840d61.png


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

I'm aware of that, but it, by default Deny returns 0.0.0.0 as an answer, while Apple support doc says that NXDOMAIN should be returned. I'm not sure why the recommended Deny response is 0.0.0.0 instead of NXDOMAIN. Is there perhaps any information on ramifications of switching the default Deny from 0.0.0.0 to NXDOMAIN and why 0.0.0.0 is recommended?

Share this post


Link to post
2 hours ago, benfitita said:

default Deny returns 0.0.0.0 as an answer, while Apple support doc says that NXDOMAIN should be returned


That's why the Block behavior is changed to NXDOMAIN further down. As written, the picture will give you an idea. :)
 
2 hours ago, benfitita said:

Is there perhaps any information on ramifications of switching the default Deny from 0.0.0.0 to NXDOMAIN and why 0.0.0.0 is recommended? 


Pi-Hole points out that NXDOMAIN will trigger more requests from certain applications because of little acceptance. NXDOMAIN can imply a (temporary) error happening, so applications will try again later. Any NOERROR reply is advantageous because applications will try to connect to the returned address instead. With an adblocker it will time out and trigger in-app exception handling instead.
The reason why Apple suggests NXDOMAIN is because of UX considerations: If NOERROR is returned, the client will connect and cause a delay, lowering people's acceptance of the feature ("uuh, why is browsing websites with it so slow?"). They seem to have configured the service to immediately forego the VPN if NXDOMAIN is returned; it is a way, though.

Sneaky software might even try different domains or even plain IP to connect after a NXDOMAIN, something you can't block without a packet filter. Though, it could be part of normal exception handling as well. :)

The Linux kernel chooses 127.0.0.1 if 0.0.0.0 is used. I don't know what Windows does.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...