“Limit IP Address Tracking” setting on iOS circumvents ad-blocking

brianjw · January 16, 2022, 5:07pm

Expected Behaviour:

My understanding is that iCloud Private Relay should be prevented from being enabled on the network with recent Pi-hole updates. In other words, I should get a …is not supported on this network… error message, and the iPhone should not be able to circumvent Pi-hole.

Actual Behaviour:

I am able to enable “Limit IP Address Tracking” on my iPhone WiFi settings. With this enabled, advertisements are not being blocked on the iPhone. As soon as this setting is disabled, advertisements are blocked again. When looking at the Query log, I do see these other Apple domains appearing at the time of enabling this setting:
mask-canary.icloud.com
captive.apple.com
captive.g.aaplimg.com
canary.mask.apple-dns.net

Also Note: I am on iOS 15.3 Public Beta 2.

Debug Token:

DNS 1 (Synology docker): https://tricorder.pi-hole.net/YkUkjkiP/
DNS 2 (pi zero w): https://tricorder.pi-hole.net/KXe3eXuM/

jfb · January 16, 2022, 6:18pm

What DNS Servers is the iPhone using?

brianjw · January 16, 2022, 7:53pm

Since I’m using Pi-hole as DHCP server, it is using 192.168.1.250 and 192.168.1.251 (which I added through the config files).

Xaositek · January 17, 2022, 3:02pm

I am seeing the same thing as OP. I have been tinkering with getting PiHole to block Private Relay and noticed it was working for all users expect my devices running iOS 15.3 betas.

Stumbled upon someone else who'd made a series of block lists (GitHub - Rogacz/private-relay: Domains list to block private relay for pi-hole) which I added in a desperate attempt. Noticed the new usage of "canary" domains which is similar to Google's nomenclature for those early releases.

Blocked canary.mask.apple-dns.net and mask-canary.icloud.com and now Private Relay is blocked for iOS 15.3 also.

I opened iOS Beta May Use Additional Domain · Issue #1 · Rogacz/private-relay · GitHub to have these two domains added to his lists.

yubiuser · January 17, 2022, 7:26pm

Maybe they changed/added the domains you reported in that github repo in the current iOS beta

mask-canary.icloud.com
mask.apple-dns.net
canary.mask.apple-dns.net

We should watch the development closely, as soon as we get an official announcement we can add them to the internal default blocking.

Xaositek · January 18, 2022, 1:41am

The GitHub repo did update the "pr2.txt" list to include the two additional reported canary domains.

I will say we have to be careful with "mask.apple-dns.net". I believe the base domain "apple-dns.net" is used for some critical services like FaceTime and iMessage so we only want to block the FQDN.

system · February 8, 2022, 1:42am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.