Hello,
I have just installed Pi-Hole on my Raspberry RPi 4 B.
It is not a dedicated system the other main role of this system is to act as an FTP server .
Apart from the Raspberry environment all other systems and devices in the house are 100% Apple.
To the best f my knowledge, my account is not configured to use Private Relay, but this TOP blocked domain is apparently linked with that service..... so what is happening...
Any ideas???
Thx
JohnW
Pi-hole is blocking that domain by default in order to avoid clients from bypassing Pi-hole via Apple's iCloud Private Relay, see also Configuration - Pi-hole documentation.
Pi-hole does not initiate those DNS requests, it only answers them and makes them visible as your clients are sending them.
Why your devices would request resolution of that special domain if they presumably are not using Private Relay would be a question for the manufacturer or software developer of the device or software sending those requests.
Hello,
Firstly, thank you for your response and i fully understand what your very diplomatic reply ..
I did find the document refer to in your link a little over my “ pay grade” so if there is another less technical response in some other doc i would appreciate the Thank.
Again Thank You for taking the time on this
Thank You
JohnW
Hello,
I have had a serious discussion via the Apple Forum on this subject of blocking apple servers and the significant advice is not to do it as it could break other services I am using.
So for the time being please advise on how I whitelist the mask.icloud.com domain .
Thanks
add BLOCK_ICLOUD_PR=false to /etc/pihole/pihole-FTL.conf and restart pihole-FTL (sudo service pihole-FTL restart), ref the documentation.
Of course, Apple will advise you to use their DNS service, so they can get info about what it is you're doing with your devices, and build a profile (bye bye privacy). It's easy to claim things won't work if you don't, fear of that is almost always pretty convincing...
Read this topic, where things are explained, including the screenshots of the dialogs you'll be getting, if blocked, and the choices you need to make to avoid having problems.
iCloud Private Relay is basically Apple's implementation of oDoH (Oblivious DNS over HTTPS), the idea is you'll be using a proxy server (relay) to avoid the destination (DoH server) knowing who the request is coming from. Would be nice, if the relays would not be managed by Apple, thus not being able to collect the info anyway.
Be aware, by enabling iCloud Private Relay with the above setting, the devices will no longer be using pihole, thus everything will be allowed, regardless of the blocklists you have.
Also read this pihole documentation, here (unbound), where DL6ER explains why unbound is the best choice to get the most out of pihole, from a privacy point of view.
Note that we are following the Apple guidance for blocking iCloud Private Relay:
That is not quite the case.
Hello,
Thank you for this information I have implemented that and I wait with anticipation to see how this works now.
Can i just clear something up here, my Apple Account is set up NOT to use Private Relay..... apparently why the apple systems are interrogating mask.icloud.com is not 100% understood but it may be that they are doing this to determine my account setting its then that they determine that my account is valid and eligible to use the facility but I have it switched off.
So let's see???
JohnW
Blockquote
I only have occasional access to apple devices, so not really sure, however, reading this article indicates it is something you need to enable / disable on the devices (the article has zero hits on the word 'account'), read here.
Interesting..
First time I have noticed that it can be set differently on each of the devices you have. I am sure it never used to be that way.
To turn Private Relay on or off you need to get to your iCloud settings and the only way you can do that is via the link to your account....
But i have rechecked my devices and they are all set as Private Realy OFF.
But thanks for the heads up on the info.
So I have enabled iCloud access within PiHole but I do not use Private Relay so what should i look for to see if there are still issues?
Thank You
JohnW
Once you changed the setting (false), you might still see entries in the pihole query log for mask.icloud.com and mask-h2.icloud.com, reply, not blocked. A dig for these domains should return a (lot?) of IP addresses (regional differences).
You'll probably notice things that used to be blocked (ads) are now showing (pihole no longer used after the initial lookup for the apple relay info).
OK,
Question if i set the (false) to the block iCloud why is Pihole still blocking access to metric.icloud ???
Thanks
JohnW
This
Because this domain appears in your gravity list. From the Pi terminal, what is the output of the following command:
pihole -q metrics.icloud
Just as a data point, metrics.icloud.com is on my blocklist from StevenBlack/hosts/master/hosts; it is also one on my top 10 blocked domains. I have several Apple devices (phones, tablets, TV devices, etc.). Despite this domain block, I have no adverse effects using any of my Apple devices.
My uneducated speculation is this domain is used to collect...metrics...for Apple that are not otherwise needed for correct function of the devices. This domain has always been blocked in my use of PiHole over several years, and has never caused an apparent problem with my usage.
The Private Relay setting is another matter entirely; it is a relatively recent addition to Apple products, whereas I believe metrics.icloud.com has been around for much longer.
That has been my experience as well.
Hello,
This is the output as requested.
Match found in https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts:
metrics.icloud.com
Based on what the 2 other Apple users of your solution are saying in regard to this, let's leave it as is for now, if is been there before Private Relay as has been indicated then this will not be an issue.
Thanks for your assistance
JohnW
Thank you for the info it is reassuring..do you use Private Relay? have you made the change to allow this domain access to work?
Hope you do not mind me asking.
Thanks
JohnW
Ok, Thanks it would be interesting to note if we have similar configs in regard to how we individually deal with Private Relay access whilst using Pi-Hole
Thanks
JohnW
We are primarily an Apple household.
I have private relay blocked as the default and also block metrics.icloud.com too. I experience no ill effects on any of my devices.
I use private relay outside the house and Pi-hole inside our home network. Other than the initial pop-up saying our home network isn't compatible with private relay, the experience is seamless.
I suspect you'll be fine to leave them blocked.
Thank you very much for the info
Thank You
John Williams
For me, the only impact I've ever seen is trying to view embedded images in some web-client emails (outlook.com in particular, but not all). In these cases, the images would not load unless I used the BLOCK_ICLOUD_PR=false line in pihole-FTL.conf. There may be other ways around the specific case I encountered, but that was my observation.
For what it's worth, I've reverted to the default Pihole behavior of blocking the Private Relay function, and the devices themselves are set to use Private Relay when they can (i.e. when Pihole is not in use).