I have Pi-hole v5.17.1 (docker version), FTL v5.23 and Web Interface v5.20.1.
One of my users is using iCloud Private Relay (basically, this it is an Apple's implementation of oDoH (Oblivious DNS over HTTPS), meaning that iDevices are using an Apple's proxy server (relay) to avoid the destination DNS server knowing who is sending which DNS requests).
And then restarted FTL: sudo service pihole-FTL restart.
Now, the problem is, that iDevices are still saying, that iCloud Private Relay is not working. Is there any option to block them in a way, that iPhones will not be complaining about that?
You can either have iCloud's relaying or Pi-hole's filtering.
Pi-hole is already signaling its clients to switch off iCloud in its presence, providing the recommended answers for the domains by default (so it isn't necessary to manually configure them like you tried to).
So if I understand - if I set BLOCK_ICLOUD_PR to false, PiHole filtering will be working for all devices, except iDevices (and iDevices won't complaing about iCloud relay not working)?
Generally yes. The iDevices will use Pi-hole if you have iCloud Private Relay disabled on an individual device. If you enable iCloud PR on a device, that device will use it and won't use Pi-hole for DNS.
You will need to decide for yourself if you would rather have ad-blocking via Pi-hole or some anonymity gained through iCloud PR.
But if this is just about the "SpecificNetwork isn't compatible with iCloud Private Relay" message being annoying: That could also be avoided by turning it off for that SpecificNetwork:
Private Relay can be turned off for a specific network using the Limit IP Address Tracking setting.*
If you turn off Private Relay for a specific network, the setting for that network applies to all of your devices for which Private Relay is turned on.
If you regularly switch between multiple network configurations (such as Dual SIM or Wi-Fi and Ethernet), make sure that this setting is set for each network independently.
Is it possible to create a special group (in PiHole) that will not block iCloud Private Relay (while default settings for default group will perform blocking)?
allowing you to put the respective domains on your whitelist. When you apply them only to one group this effectively disables the special handling for this group while it stays intact for the rest or your network. Please run
pihole checkout ftl tweak/special_domains_prio_v5
and check if adding
mask.icloud.com
mask-h2.icloud.com
and then assigning them to the group you want the feature being disabled for does what you want.
When this is working well, we can include it in the next FTL release which is scheduled rather soonish.