benfitita 39 Posted ... I'd like to be able to reliably block Apple iCloud Private Relay. According to the documentation, that can be done by replying NXDOMAIN to queries about the following hosts: mask.icloud.com mask-h2.icloud.com This seems to be similar to the existing "use-application-dns.net Canary Domain" feature. Would it be possible to either: 1. Add a toogle in Client Area -> DNS to disable Apple iCloud Private Relay, like the existing one for the Canary Domain? 2. Add ability to create custom DNS entries that return NXDOMAIN. Quote Share this post Link to post
OpenSourcerer 1435 Posted ... It's already possible. This screenshot will give you an idea. 1 FatCat reacted to this Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
benfitita 39 Posted ... I'm aware of that, but it, by default Deny returns 0.0.0.0 as an answer, while Apple support doc says that NXDOMAIN should be returned. I'm not sure why the recommended Deny response is 0.0.0.0 instead of NXDOMAIN. Is there perhaps any information on ramifications of switching the default Deny from 0.0.0.0 to NXDOMAIN and why 0.0.0.0 is recommended? Quote Share this post Link to post
OpenSourcerer 1435 Posted ... 2 hours ago, benfitita said: default Deny returns 0.0.0.0 as an answer, while Apple support doc says that NXDOMAIN should be returned That's why the Block behavior is changed to NXDOMAIN further down. As written, the picture will give you an idea. 2 hours ago, benfitita said: Is there perhaps any information on ramifications of switching the default Deny from 0.0.0.0 to NXDOMAIN and why 0.0.0.0 is recommended? Pi-Hole points out that NXDOMAIN will trigger more requests from certain applications because of little acceptance. NXDOMAIN can imply a (temporary) error happening, so applications will try again later. Any NOERROR reply is advantageous because applications will try to connect to the returned address instead. With an adblocker it will time out and trigger in-app exception handling instead. The reason why Apple suggests NXDOMAIN is because of UX considerations: If NOERROR is returned, the client will connect and cause a delay, lowering people's acceptance of the feature ("uuh, why is browsing websites with it so slow?"). They seem to have configured the service to immediately forego the VPN if NXDOMAIN is returned; it is a way, though. Sneaky software might even try different domains or even plain IP to connect after a NXDOMAIN, something you can't block without a packet filter. Though, it could be part of normal exception handling as well. The Linux kernel chooses 127.0.0.1 if 0.0.0.0 is used. I don't know what Windows does. 2 Antti Simola and benfitita reacted to this Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
benfitita 39 Posted ... Thanks! This is a great explanation. I'll see if I get any bad feedback with Deny + 0.0.0.0. Quote Share this post Link to post