Hello,
I have just installed Pi-Hole on my Raspberry RPi 4 B.
It is not a dedicated system the other main role of this system is to act as an FTP server .
Apart from the Raspberry environment all other systems and devices in the house are 100% Apple.
To the best f my knowledge, my account is not configured to use Private Relay, but this TOP blocked domain is apparently linked with that service..... so what is happening...
Pi-hole is blocking that domain by default in order to avoid clients from bypassing Pi-hole via Apple's iCloud Private Relay, see also Configuration - Pi-hole documentation.
Pi-hole does not initiate those DNS requests, it only answers them and makes them visible as your clients are sending them.
Why your devices would request resolution of that special domain if they presumably are not using Private Relay would be a question for the manufacturer or software developer of the device or software sending those requests.
Firstly, thank you for your response and i fully understand what your very diplomatic reply ..
I did find the document refer to in your link a little over my “ pay grade” so if there is another less technical response in some other doc i would appreciate the Thank.
I have had a serious discussion via the Apple Forum on this subject of blocking apple servers and the significant advice is not to do it as it could break other services I am using.
So for the time being please advise on how I whitelist the mask.icloud.com domain .
add BLOCK_ICLOUD_PR=false to /etc/pihole/pihole-FTL.conf and restart pihole-FTL (sudo service pihole-FTL restart), ref the documentation.
Of course, Apple will advise you to use their DNS service, so they can get info about what it is you're doing with your devices, and build a profile (bye bye privacy). It's easy to claim things won't work if you don't, fear of that is almost always pretty convincing...
Read this topic, where things are explained, including the screenshots of the dialogs you'll be getting, if blocked, and the choices you need to make to avoid having problems.
iCloud Private Relay is basically Apple's implementation of oDoH (Oblivious DNS over HTTPS), the idea is you'll be using a proxy server (relay) to avoid the destination (DoH server) knowing who the request is coming from. Would be nice, if the relays would not be managed by Apple, thus not being able to collect the info anyway.
Be aware, by enabling iCloud Private Relay with the above setting, the devices will no longer be using pihole, thus everything will be allowed, regardless of the blocklists you have.
Also read this pihole documentation, here (unbound), where DL6ER explains why unbound is the best choice to get the most out of pihole, from a privacy point of view.
Thank you for this information I have implemented that and I wait with anticipation to see how this works now.
Can i just clear something up here, my Apple Account is set up NOT to use Private Relay..... apparently why the apple systems are interrogating mask.icloud.com is not 100% understood but it may be that they are doing this to determine my account setting its then that they determine that my account is valid and eligible to use the facility but I have it switched off.
I only have occasional access to apple devices, so not really sure, however, reading this article indicates it is something you need to enable / disable on the devices (the article has zero hits on the word 'account'), read here.
Once you changed the setting (false), you might still see entries in the pihole query log for mask.icloud.com and mask-h2.icloud.com, reply, not blocked. A dig for these domains should return a (lot?) of IP addresses (regional differences).
You'll probably notice things that used to be blocked (ads) are now showing (pihole no longer used after the initial lookup for the apple relay info).
Just as a data point, metrics.icloud.com is on my blocklist from StevenBlack/hosts/master/hosts; it is also one on my top 10 blocked domains. I have several Apple devices (phones, tablets, TV devices, etc.). Despite this domain block, I have no adverse effects using any of my Apple devices.
My uneducated speculation is this domain is used to collect...metrics...for Apple that are not otherwise needed for correct function of the devices. This domain has always been blocked in my use of PiHole over several years, and has never caused an apparent problem with my usage.
The Private Relay setting is another matter entirely; it is a relatively recent addition to Apple products, whereas I believe metrics.icloud.com has been around for much longer.
Based on what the 2 other Apple users of your solution are saying in regard to this, let's leave it as is for now, if is been there before Private Relay as has been indicated then this will not be an issue.
Ok, Thanks it would be interesting to note if we have similar configs in regard to how we individually deal with Private Relay access whilst using Pi-Hole
I have private relay blocked as the default and also block metrics.icloud.com too. I experience no ill effects on any of my devices.
I use private relay outside the house and Pi-hole inside our home network. Other than the initial pop-up saying our home network isn't compatible with private relay, the experience is seamless.
For me, the only impact I've ever seen is trying to view embedded images in some web-client emails (outlook.com in particular, but not all). In these cases, the images would not load unless I used the BLOCK_ICLOUD_PR=false line in pihole-FTL.conf. There may be other ways around the specific case I encountered, but that was my observation.
For what it's worth, I've reverted to the default Pihole behavior of blocking the Private Relay function, and the devices themselves are set to use Private Relay when they can (i.e. when Pihole is not in use).