Hello,
Thanks to all the developers and the community around Pi-hole, it’s an amazing product
I’m an iCloud+ subscriber, and I’ve turned off iCloud Private Relay (so my devices don’t bypass Pi-hole) in Settings → iCloud → Private Relay.
Even so, some options that could potentially interfere with Pi-hole are still enabled by default on macOS and iOS, specifically in Network Settings, Safari, and Apple Mail.
The settings you mentioned (Limit IP Address Tracking, Safari/Mail settings) other than Private Relay should usually not interfere with Pi-hole, so you can leave them enabled.
There is another setting you might want to disable: Wi-Fi → [Network Name](i) → Private Wi-Fi Address
Disabling it will send the real device name to your DHCP Server (and via Bonjour/mDNS) instead of just “iPhone” or “iPad”. Pi-hole will be able to pick it up by either using Pi-hole’s DHCP Server or Conditional Forwarding/Reverse DNS. Additionally this will disable MAC randomization, so your Apple Device will not suddenly appear as a new device in the network
I suspected they might interfere with Pi-hole because I noticed that mask.icloud.com and mask.h2.icloud.com were being blocked by Pi-hole, even though I had disabled iCloud Private Relay.
I also saw some error messages, such as the “Private Relay unavailable” notification and the “Unable to load remote content privately” error in Mail.
Is that normal? And should I disable dns.specialDomains.iCloudPrivateRelay?
Do you think I should disable it entirely, or just choose the fixed option?
The option “Fixed” for “Private Wi-Fi Address” will prevent your iPhone from registering as a whole new device in the network. But “Fixed” will still just send “iPhone” as the hostname. If you wish to see the real hostname, you need to disable it entirely.
The Waring “Private Relay unavailable” indicates dns.specialDomains.iCloudPrivateRelay working as intended (as per Prepare your network or web server for iCloud Private Relay - iCloud - Apple Developer). Leaving dns.specialDomains.iCloudPrivateRelay normally does not impact other functionality of your Apple Device, other than Private Relay. The “Unable to load remote content privately” error in Mail is not known to me, but may be related to Private Relay.
In my native Mail application I only see the “ Your network settings prevent content from loading privately.” waring, since any externally loaded web content may be a tracker (this also includes most images).
Oh, I see. If the only downside is that, I think I’ll leave it on “Fixed”.
To be more precise, I was seeing the “Private Relay unavailable” warning when I had disabled Private Relay only on my network (not globally). Then I disabled it completely (not just for my home network), and I haven’t seen this specific warning anymore.
However, the mask.icloud.com and mask.h2.icloud.com domains are still present (and blocked) in my Pi-hole query log, even after disabling Private Relay globally. If I understand correctly, that’s the expected behaviour, and I should simply ignore it.
You’re right, I’m sorry, the warning I still see is the one you’re referring to.
Thank you for your patience, you’ve been very clear and helpful. If I understand correctly, the options (in Network Settings, Safari, and Apple Mail) I mentioned in my original post are bypassed by Pi-hole and therefore don’t interfere with it.
So, what am I giving up?
Would it make sense to disable dns.specialDomains.iCloudPrivateRelay and have both these options and Pi-hole enabled? Of course, while keeping the iCloud Private Relay global switch disabled.
