The issue I am facing:
Maybe another Apple Private Relay domain, which keeps showing up in the query log as blocked, even though I'm not using iCloud at all.
“mask-api.icloud.com”
Details about my system:
Raspberry 4b+
What I have changed since installing Pi-hole:
Upgraded from pihole v5 to pihole v6
What is the output of the following from the Pi terminal:
pihole -q mask-api.icloud.com
API not available. Please check connectivity
That's a problem on your Pi-hole install. The command is checking to see if that domain is contained in the gravity database. On my install, the output is:
pihole -q mask-api.icloud.com
[i] No results found for mask-api.icloud.com within the adlists
Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:
pihole -d
or do it through the Web interface:
Tools > Generate Debug Log
Edit - and please post the output of the following command from the Pi terminal:
sudo grep mask-api.icloud.com /var/log/pihole/pihole.log | tail -n15
Understand I block all thing related to iCloud, given I have no use for the product, but this domain showing up regularly in the query log, and think it maybe it's part of the Apple private relay setup. Just for a month, 2,399 entries.
pi@raspberrypi:~ $ sudo grep mask-api.icloud.com /var/log/pihole/pihole.log | tail -n15
May 29 00:29:41 dnsmasq[2740513]: query[A] mask-api.icloud.com from 10.10.10.228
May 29 00:29:41 dnsmasq[2740513]: gravity blocked mask-api.icloud.com is 0.0.0.0
May 29 00:30:42 dnsmasq[2740513]: query[A] mask-api.icloud.com from 10.10.10.228
May 29 00:30:42 dnsmasq[2740513]: gravity blocked mask-api.icloud.com is 0.0.0.0
May 29 00:37:42 dnsmasq[2740513]: query[A] mask-api.icloud.com from 10.10.10.228
May 29 00:37:42 dnsmasq[2740513]: gravity blocked mask-api.icloud.com is 0.0.0.0
May 29 00:38:45 dnsmasq[2740513]: query[A] mask-api.icloud.com from 10.10.10.228
May 29 00:38:45 dnsmasq[2740513]: gravity blocked mask-api.icloud.com is 0.0.0.0
May 29 00:40:46 dnsmasq[2740513]: query[A] mask-api.icloud.com from 10.10.10.228
May 29 00:40:46 dnsmasq[2740513]: gravity blocked mask-api.icloud.com is 0.0.0.0
May 29 00:44:47 dnsmasq[2740513]: query[A] mask-api.icloud.com from 10.10.10.228
May 29 00:44:47 dnsmasq[2740513]: gravity blocked mask-api.icloud.com is 0.0.0.0
May 29 00:52:47 dnsmasq[2740513]: query[A] mask-api.icloud.com from 10.10.10.228
May 29 00:52:47 dnsmasq[2740513]: gravity blocked mask-api.icloud.com is 0.0.0.0
The Apple documentation we followed to block iCloud PR does not show this as one of the Private Relay domains.
But, in this other Apple listing, it is listed as one of the PR domains:
Note that when we block the iCloud PR domains (the ones currently specified by Apple), we provide the NXDOMAIN reply, not a NULL reply. This signals the Apple software not to use iCloud PR.
To the best of my knowledge, blocking the two PR domains we currently block will disable iCloud PR for Apple clients.
In your specific case, the domain mask-api.icloud.com has the NULL reply because you have specifically blocked iCloud domains with a local blacklist entry.
This request is coming from the iMac macOS itself, even though I have no Apple account.
This regex is what catch this domain.
^(.+[_.])?icloud[_.-]
This is expected. You are running an Apple OS on that device.
I didn't know if you were aware of this domain itself.
Just curious - if you don't want Apple software to make queries, and you don't have an Apple account, why run MacOS? Why not install Linux on that box?
This Apple computer is roughly 5 years old, and runs like gold, besides nice GUI, I have VirtualBox, and use that for private things. iCloud is so invasive in terms of privacy, what Apple says, take it with a grain of salt.
I have never trusted any cloud services more so than Apple, Google, similar vein. Just remember, any data you upload too, is not your property, but the services provider of the cloud.
Both Apple and Google have locked users out of their account's, over what CSAM may find or intrepid what it perceives on any users devices. Linux will not solve this form of privacy issues as A.I. CSAM spreads to other mobile devices.
P.S thanks for your help.
https://www.nytimes.com/2022/08/21/technology/google-surveillance-toddler-photo.html
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.