iCloud PR not working, after enabling in config

I would like to allow using the iCloud Private Relay, especially for the Mail Privacy feature.
Therefore I've set the BLOCK_ICLOUD_PR=false in /etc/pihole/pihole-FTL.conf.
After saving the file, I restarted the DNS pihole restartdns.

I was expecting, that iOS is not complaining in Mail, that the external content could not be loaded due to my network settings.
I quit the App and put the iPhone in flight mode, but it seems, that the configuration did not take effect.

Can someone please point me in the right direction?
Obviously I've missed an important step ...

Thanks

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

Thanks for you reply.
Please find the log here: https://tricorder.pi-hole.net/lamvy0zC/

The option is corectely set

-rw-rw-r-- 1 pihole root 37 Nov 28 09:54 /etc/pihole/pihole-FTL.conf
   BLOCK_ICLOUD_PR=false
   PRIVACYLEVEL=0

Please run from your PC

nslookup mask.icloud.com

nslookup mask-h2.icloud.com

Both commands issued from my Mac mini.
10.0.0.4 is the local IP of my pihole.

$ nslookup mask.icloud.com
Server:		10.0.0.4
Address:	10.0.0.4#53

Non-authoritative answer:
mask.icloud.com	canonical name = mask.apple-dns.net.
Name:	mask.apple-dns.net
Address: 17.248.150.201
Name:	mask.apple-dns.net
Address: 17.248.150.197
Name:	mask.apple-dns.net
Address: 17.248.150.196
Name:	mask.apple-dns.net
Address: 17.248.150.200
Name:	mask.apple-dns.net
Address: 17.248.150.199
Name:	mask.apple-dns.net
Address: 17.248.150.198
$ nslookup mask-h2.icloud.com
Server:		10.0.0.4
Address:	10.0.0.4#53

Non-authoritative answer:
mask-h2.icloud.com	canonical name = mask-t.apple-dns.net.
Name:	mask-t.apple-dns.net
Address: 17.250.82.5
Name:	mask-t.apple-dns.net
Address: 17.250.82.6
Name:	mask-t.apple-dns.net
Address: 17.250.82.4
Name:	mask-t.apple-dns.net
Address: 17.250.82.8
Name:	mask-t.apple-dns.net
Address: 17.250.82.9
Name:	mask-t.apple-dns.net
Address: 17.250.82.7

Pi-hole does not block the relevant domains (anymore). Try to restart your iOS device.

Thanks for your help.
I restarted my iOS devices and still didn’t work.
Then I noticed, that the private relay flag in settings -> wifi was disabled. I thought that I could use pihole for safari and only use iCloud PR for mail privacy. This seems not to work. After enabling PR for this wifi network, it works as expected. Pihole is bypassed and PR is used.

Do you know if I can use PR for mail only in my home network?

That would be a good question for Apple's support.
Please consider sharing their advice here once you receive an answer by them.

You don't need to have Private Relay enabled to get the Mail Privacy features. They use the same domains, but are separate features in IOS and MacOS.

You can disable Private Relay (and have the DNS traffic from the Safari browser go through Pi-hole) and still have the Mail Privacy feature with your current Pi-hole settings.

In IOS Settings > Mail > Messages > Privacy Protection, toggle Protect Mail Activity to ON.

In IOS Settings > Apple ID > iCloud > Private Relay, turn that OFF.

This works on all my IOS devices.

thanks for pointing this out.
I tried your solution and it seems to work like you described. At least the warning in iOS Mail is gone. Though, I didn't double checked if these images are downloaded through PR.

I actually tried to disable PR for my wifi network only, as I would like to use it when I am connected to networks without pihole or with LTE.
I am afraid it is not working, like I wish it does. The small description below the flag in the wifi network settings says, that hiding the IP address in mail.

(translated with deepl.com)
The Private Relay prevents networks from monitoring your
your Internet activity, and hides your IP address
address from known trackers and websites. By going to
disabling private relay for this network will also
also disables IP address hiding in Mail.
will be disabled.

Attached is a screenshot of the setting, I am talking about.
Sorry it is in German ...

Seems like we do not get best of both worlds and enable PR only for non-pihole networks :frowning:

Note that Pi-hole would be able to suppress actually accessing tracking domains as contained in eMails as long as they'd appear on one of your blocklists.
The net effect may be similar, i.e. as those blocked tracking domains are never contacted, they also wouldn't know your IP address.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.