iPhone IOS 15.0.2 with private relay enabled shows isn't compatible with iCloud Private Relay, and should be.
Actual Behaviour:
Setting the iphone to use 8.8.8.8 on the same WiFi network allows icloud private relay to work. Disabling pi-hole or allow-listing an individual client doesn't allow it to work either.
This is a fresh Docker install.
There are no blocked entries for mask.icloud.com or mask-h2.icloud.com (which as I understand it are the key records to allow for it to work)
Add special handling of iCloud Private Relay domains
Implement special handling of Apple iCloud Private Relay domains to prevent Apple devices from bypassing Pi-hole.
You can turn it off by setting BLOCK_ICLOUD_PR=false in /etc/pihole/pihole-FTL.conf followed by a pihole restartdns
But I want to allow network users to use Private Relay if they want, I don't care about globally disabling it.
There's something not working correctly at the moment - or have I misunderstood the changes in 5.10.1 (I am on 5.10.2) which means that pi-hole will always NXDOMAIN the Apple domains irrespective of what the query log says?
Yes. As long as you don't disable the option in the config file it will always reply with NXDOMAIN. Does the query log says something different for you?
The query log was always showing as permitted, yes, hence it was not obvious to work out what was going on. I assumed the query log was the "truth" but I guess FTL has its own behaviour downstream.
What would be a more obvious but still not obtrusive way? We block the Mozilla canary domain the same way. Mozilla even asks developers of projects to do this to preserve local DNS functionality. It is handled by a similar config flag.
I vote for a new query status as well. However, I'm not so sure about showing a working canary domain block in red. But I can see that opinions may differ on this aspect.