iCloud Private Relay problems

I have Pi-hole v5.17.1 (docker version), FTL v5.23 and Web Interface v5.20.1.

One of my users is using iCloud Private Relay (basically, this it is an Apple's implementation of oDoH (Oblivious DNS over HTTPS), meaning that iDevices are using an Apple's proxy server (relay) to avoid the destination DNS server knowing who is sending which DNS requests).

What I did?

sudo docker exec -it pihole bash
nano /etc/dnsmasq.d/02-NXDOMAIN.conf

In that file I added:


And then restarted FTL: sudo service pihole-FTL restart.

Now, the problem is, that iDevices are still saying, that iCloud Private Relay is not working. Is there any option to block them in a way, that iPhones will not be complaining about that?

You can either have iCloud's relaying or Pi-hole's filtering.

Pi-hole is already signaling its clients to switch off iCloud in its presence, providing the recommended answers for the domains by default (so it isn't necessary to manually configure them like you tried to).

Pi-hole's behaviour can be controlled via the BLOCK_ICLOUD_PR setting in pihole-FTL's configuration.

Note that if you'd switch that to false, clients using Apple's iCloud Private Relay would always by-pass Pi-hole.

So if I understand - if I set BLOCK_ICLOUD_PR to false, PiHole filtering will be working for all devices, except iDevices (and iDevices won't complaing about iCloud relay not working)?

Generally yes. The iDevices will use Pi-hole if you have iCloud Private Relay disabled on an individual device. If you enable iCloud PR on a device, that device will use it and won't use Pi-hole for DNS.

You will need to decide for yourself if you would rather have ad-blocking via Pi-hole or some anonymity gained through iCloud PR.

Pi-hole already does this through an FTL setting.


Note that the Apple implementation of blocking iCloud PR calls for a response of NXDOMAIN to the two canary domains.


But if this is just about the "SpecificNetwork isn't compatible with iCloud Private Relay" message being annoying: That could also be avoided by turning it off for that SpecificNetwork:

Private Relay can be turned off for a specific network using the Limit IP Address Tracking setting.*

  • If you turn off Private Relay for a specific network, the setting for that network applies to all of your devices for which Private Relay is turned on.
  • If you regularly switch between multiple network configurations (such as Dual SIM or Wi-Fi and Ethernet), make sure that this setting is set for each network independently.

(sourced from Apple's support pages on managing iCloud Private Relay)

Thanks a lot for these clarifications.

Is it possible to create a special group (in PiHole) that will not block iCloud Private Relay (while default settings for default group will perform blocking)?

Why would you want to do that?
Doesn't disabling BLOCK_ICLOUD_PR already achieve what you want?

Yes, but let's suppose you have two iDevices - for one you would like to enable iCloudPR blocking, for other not.

If I understand, BLOCK_ICLOUD_PR works globally, and not per devices.

1 Like

This will be added by

allowing you to put the respective domains on your whitelist. When you apply them only to one group this effectively disables the special handling for this group while it stays intact for the rest or your network. Please run

pihole checkout ftl tweak/special_domains_prio_v5

and check if adding


and then assigning them to the group you want the feature being disabled for does what you want.

When this is working well, we can include it in the next FTL release which is scheduled rather soonish.

1 Like

4 posts were split to a new topic: How to allow clients using Apple's Private Relay to use Pi-hole?