Info If you want to block iCloud Private Relay at home

Currently reading
Info If you want to block iCloud Private Relay at home

fredbert

Moderator
NAS Support
Subscriber
5,122
2,072
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
  3. RT6600ax
  4. WRX560
Operating system
  1. macOS
Mobile operating system
  1. iOS
One of the features of Apple's iCloud subscription is the (beta) Private Relay. This is in effect a VPN service for Safari web browser and Mail app. As far as I can see.

Once the feature is enabled in iOS 15 / macOS Monterey it will bypass any filtering that you've implemented at home, and anywhere else, at least it will attempt to.

I see this as a useful feature for public WiFi and where I'm not sure of the service provider, but at home I use Safe Access to apply protection from 'iffy' websites and to block accidentally accessing some 'news' sites where I don't want them to get any click-thru Ad revenue. So I'm not 'anti' this but would rather control my home protections: and is also why I use Safe Access to block requests to cloudflare-dns.com and dns.google. It's not foolproof but I trust my family and it's to help keep themselves protected.

In iOS's WiFi network settings it is possible to disable Private Relay for each network connection. But how to incentivise people to switch it off at home? The answer is easy if you run a LAN DNS server. This is the recommended approach by Apple as it will then cause a pop-up message with a 'disable on this network' option.

I'm doing this on SRM's DNS Server, which is the main DNS server used by my DHCP clients (and SRM and Safe Access). Do the following twice, once per domain.

DNS Server -> Zones
  1. Click Create button and select 'Master zone'
  2. Use all the defaulted values (e.g. Forward zone), except:
    1. First time, Domain name: mask.icloud.com
    2. Second time, Domain name: mask-h2.icloud.com
    3. Master DNS server: LAN IP of DNS Server (e.g. LAN IP of SRM router, or LAN IP of NAS)
  3. Click OK.
You should have two master zones in the list.
1643114213650.png


Within them there will be two NS records but, most importantly, no record that resolves the domain name to an IP address. Now when the two domains cannot be resolved the device (phone/Mac) will pop-up the message straight away. The device will continue to be protected on other networks.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top