Add a Warning about iCloud private Relay.
BirdInFire opened this issue ยท 11 comments
Hello @paulmillr
It can be interesting to add a warning, that iCloud private relay redirect DNS query AND only DNS query of Safari (for now).
So for those who use it they must continue to install profile for DNS query of other APP and Warning them if they use it with profile of DNS who do Adblock the Adblock capability will not work on safari.
sure
That's incorrect, iCloud Private Relay redirects all DNS requests, all Safari traffic and all HTTP-only traffic, however if encrypted DNS is setup, that will be used for resolution instead of the relay encrypted oblivious DNS.
To protect the privacy of DNS name resolution for all queries sent by the device and prevent such tracking, Private Relay uses Oblivious DNS over HTTPS (ODoH).
If a user has configured custom-encrypted DNS settings using a profile or an app, the DNS server specified will be used instead of ODoH.
Source: https://www.apple.com/privacy/docs/iCloud_Private_Relay_Overview_Dec2021.PDF
That's incorrect, iCloud Private Relay redirects all DNS requests, all Safari traffic and all HTTP-only traffic, however if encrypted DNS is setup, that will be used for resolution instead of the relay encrypted oblivious DNS.
To protect the privacy of DNS name resolution for all queries sent by the device and prevent such tracking, Private Relay uses Oblivious DNS over HTTPS (ODoH).
If a user has configured custom-encrypted DNS settings using a profile or an app, the DNS server specified will be used instead of ODoH.
Source: https://www.apple.com/privacy/docs/iCloud_Private_Relay_Overview_Dec2021.PDF
It's technically also incorrect because they only do that if the profile is valid and it will not redirect but only check if they must block it if not they use their so any dns rewrite (instead of NXDOMAIN like 0.0.0.0) will be ignored by default)
if the profile is valid
What do you mean by valid?
it will not redirect but only check if they must block it if not they use their so any dns rewrite (instead of NXDOMAIN like 0.0.0.0) will be ignored by default)
If the user has configured DoH (or a VPN with DNS), all queries go through that server instead of their. It's not like a custom encrypted DNS is used as content filter for their DNS, what makes you say that? Documentation states otherwise.
if the profile is valid
What do you mean by valid?
it will not redirect but only check if they must block it if not they use their so any dns rewrite (instead of NXDOMAIN like 0.0.0.0) will be ignored by default)
If the user has configured DoH (or a VPN with DNS), all queries go through that server instead of their. It's not like a custom encrypted DNS is used as content filter for their DNS, what makes you say that? Documentation states otherwise.
Best way to try use a dns that provides verification like quad9 or dns0.eu with the profile their verification page will never work since Apple only use them to verify if the domain must be blocked or not why you see the results in dns log
Another way do a dns leak and you will see the relay dns always appear (cloudflare / fastly)
I've just tried with a Quad9 DNS-over-HTTPS profile and it works as described in the documentation. Safari web browsing goes though the relay but DNS goes through Qua9 https://on.quad9.net/
I've just tried with a Quad9 DNS-over-HTTPS profile and it works as described in the documentation. Safari web browsing goes though the relay but DNS goes through Qua9 https://on.quad9.net/
Are you sure private relay work properly, I never had any yes on this page, on multiple device with relay enabled over multiple network and account using quad9 profile.
Try to check with check my ip to see if he tell well you using private relay.
Edit: very same with cloudflare and their 1.1.1.1/help, I never had a "yes" in https (when using https) when using profile.
on.quad9.net doesn't seem to use the standard DNS detection trick where the page sends queries to randomly generated hostnames. Sometimes it says yes, sometimes it says no. https://mullvad.net/check instead always works. The public IP is on of the iCloud egress relays list, and the dns is PCH Franfurt Management, which seems to be a Quad9 hosting sponsor https://www.quad9.net/about/sponsors/
By the way, even though this is supposed to work (modulo Apple bugs), using custom DNS is counterproductive. On of the purpose of iCloud Private Relay is to thwart IP based fingerprinting and tracking. If you use another DNS, websites can detect that and you will stand out compared to the majority of other relay users.
By the way, even though this is supposed to work (modulo Apple bugs), using custom DNS is counterproductive. On of the purpose of iCloud Private Relay is to thwart IP based fingerprinting and tracking. If you use another DNS, websites can detect that and you will stand out compared to the majority of other relay users.
Their system is based on ODOH so technically it's can be done privately
Their system is based on ODOH so technically it's can be done privately
Yes... but it's not used if you apply a custom DNS via profile or VPN