My understanding is that iCloud Private Relay should be prevented from being enabled on the network with recent Pi-hole updates. In other words, I should get a …is not supported on this network… error message, and the iPhone should not be able to circumvent Pi-hole.
Actual Behaviour:
I am able to enable “Limit IP Address Tracking” on my iPhone WiFi settings. With this enabled, advertisements are not being blocked on the iPhone. As soon as this setting is disabled, advertisements are blocked again. When looking at the Query log, I do see these other Apple domains appearing at the time of enabling this setting:
mask-canary.icloud.com
captive.apple.com
captive.g.aaplimg.com
canary.mask.apple-dns.net
I am seeing the same thing as OP. I have been tinkering with getting PiHole to block Private Relay and noticed it was working for all users expect my devices running iOS 15.3 betas.
The GitHub repo did update the "pr2.txt" list to include the two additional reported canary domains.
I will say we have to be careful with "mask.apple-dns.net". I believe the base domain "apple-dns.net" is used for some critical services like FaceTime and iMessage so we only want to block the FQDN.