iCloud Private Relay problems

MatejKovacic · December 5, 2023, 5:35pm

I have Pi-hole v5.17.1 (docker version), FTL v5.23 and Web Interface v5.20.1.

One of my users is using iCloud Private Relay (basically, this it is an Apple's implementation of oDoH (Oblivious DNS over HTTPS), meaning that iDevices are using an Apple's proxy server (relay) to avoid the destination DNS server knowing who is sending which DNS requests).

What I did?

sudo docker exec -it pihole bash
nano /etc/dnsmasq.d/02-NXDOMAIN.conf

In that file I added:

server=/mask.icloud.com/
server=/mask-h2.icloud.com/

And then restarted FTL: sudo service pihole-FTL restart.

Now, the problem is, that iDevices are still saying, that iCloud Private Relay is not working. Is there any option to block them in a way, that iPhones will not be complaining about that?

Bucking_Horn · December 5, 2023, 7:26pm

You can either have iCloud's relaying or Pi-hole's filtering.

Pi-hole is already signaling its clients to switch off iCloud in its presence, providing the recommended answers for the domains by default (so it isn't necessary to manually configure them like you tried to).

Pi-hole's behaviour can be controlled via the BLOCK_ICLOUD_PR setting in pihole-FTL's configuration.

Note that if you'd switch that to false, clients using Apple's iCloud Private Relay would always by-pass Pi-hole.

MatejKovacic · December 5, 2023, 9:18pm

So if I understand - if I set BLOCK_ICLOUD_PR to false, PiHole filtering will be working for all devices, except iDevices (and iDevices won't complaing about iCloud relay not working)?

jfb · December 6, 2023, 1:51am

Generally yes. The iDevices will use Pi-hole if you have iCloud Private Relay disabled on an individual device. If you enable iCloud PR on a device, that device will use it and won't use Pi-hole for DNS.

You will need to decide for yourself if you would rather have ad-blocking via Pi-hole or some anonymity gained through iCloud PR.

MatejKovacic:

What I did?
sudo docker exec -it pihole bash
nano /etc/dnsmasq.d/02-NXDOMAIN.conf
In that file I added:
server=/mask.icloud.com/
server=/mask-h2.icloud.com/
And then restarted FTL: sudo service pihole-FTL restart.

Pi-hole already does this through an FTL setting.

https://docs.pi-hole.net/ftldns/configfile/#icloud_private_relay

Note that the Apple implementation of blocking iCloud PR calls for a response of NXDOMAIN to the two canary domains.

Bucking_Horn · December 6, 2023, 3:50am

Yes.

But if this is just about the "SpecificNetwork isn't compatible with iCloud Private Relay" message being annoying: That could also be avoided by turning it off for that SpecificNetwork:

Private Relay can be turned off for a specific network using the Limit IP Address Tracking setting.*

If you turn off Private Relay for a specific network, the setting for that network applies to all of your devices for which Private Relay is turned on.

If you regularly switch between multiple network configurations (such as Dual SIM or Wi-Fi and Ethernet), make sure that this setting is set for each network independently.

(sourced from Apple's support pages on managing iCloud Private Relay)

MatejKovacic · December 6, 2023, 7:55am

Thanks a lot for these clarifications.

Is it possible to create a special group (in PiHole) that will not block iCloud Private Relay (while default settings for default group will perform blocking)?

Bucking_Horn · December 6, 2023, 8:01am

Why would you want to do that?
Doesn't disabling BLOCK_ICLOUD_PR already achieve what you want?

MatejKovacic · December 6, 2023, 9:00am

Yes, but let's suppose you have two iDevices - for one you would like to enable iCloudPR blocking, for other not.

If I understand, BLOCK_ICLOUD_PR works globally, and not per devices.

DL6ER · December 7, 2023, 6:07pm

This will be added by

github.com/pi-hole/FTL

Implement special domains whitelisting

pi-hole:development ← pi-hole:tweak/special_domains_prio_v5

opened 05:20PM - 07 Dec 23 UTC

DL6ER

+19 -17

# What does this implement/fix? See #1807 - this is a backport of the feature… for FTL v5. Allows for fine grained application of the "special" domains that manage Apple Private Relay and Firefox Canary domains. When you apply them only to one group this effectively disables the special handling for this group while it stays intact for the rest or your network. --- **Related issue or feature (if applicable):** N/A **Pull request in [docs](https://github.com/pi-hole/docs) with documentation (if applicable):** N/A --- **By submitting this pull request, I confirm the following:** 1. I have read and understood the [contributors guide](https://docs.pi-hole.net/guides/github/contributing/), as well as this entire template. I understand which branch to base my commits and Pull Requests against. 2. I have commented my proposed changes within the code. 3. I am willing to help maintain this change if there are issues with it later. 4. It is compatible with the [EUPL 1.2 license](https://opensource.org/licenses/EUPL-1.1) 5. I have squashed any insignificant commits. ([`git rebase`](http://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html)) ## Checklist: - [x] The code change is tested and works locally. - [x] I based my code and PRs against the repositories `developmental` branch. - [x] I [signed off](https://docs.pi-hole.net/guides/github/how-to-signoff/) all commits. Pi-hole enforces the [DCO](https://docs.pi-hole.net/guides/github/dco/) for all contributions - [x] I [signed](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits) all my commits. Pi-hole requires signatures to verify authorship - [x] I have read the above and my PR is ready for review.

allowing you to put the respective domains on your whitelist. When you apply them only to one group this effectively disables the special handling for this group while it stays intact for the rest or your network. Please run

pihole checkout ftl tweak/special_domains_prio_v5

and check if adding

mask.icloud.com
mask-h2.icloud.com

and then assigning them to the group you want the feature being disabled for does what you want.

When this is working well, we can include it in the next FTL release which is scheduled rather soonish.

Bucking_Horn · March 24, 2024, 7:47am

4 posts were split to a new topic: How to allow clients using Apple's Private Relay to use Pi-hole?