Safe Access SRM 1.3 new options for Safe Access

[fredbert]

Having just upgraded SRM to 1.3.1 I was looking at what's changed and notice two new settings that address DNS over HTTPS and Apple's iCloud Relay. Both these interfere with Safe Access's ability to apply web filtering.

First, Apple's iCloud Relay gets a Block setting in each Profile within Safe Access...

Prior to this (in SRM 1.2.5) you had to have an internal DNS server that resolved (to nowhere specific) for two addresses: mask.icloud.com; mask-h2.icloud.com. Such as like this:

So DNS Server no longer needs master zones for these two addresses, if you wanted to stop using iCloud Relay at home.


Next it's DNS over HTTPS (DOH). SRM has for some time supported using DOH for DNS resolution from clients requesting it from the router. But there was little to stop clients just using DOH directly and so bypassing Safe Access.

In Network Center's Security configuration there is a new option 'Do not allow client devices to use DOH servers'.

​

Give them a go and see if they work for you.

​

 

[fredbert]

I'd like to thank myself for posting the above because I couldn't remember, nor find in Help, where the iCloud Relay setting had been added.

Since iOS 16, well it's been noticeable since upgrading my iPhone, I've been having a lot of iOS notifications saying that iCloud Private Relay isn't working. Er, I know! This happened even when picking up the phone at home when the network shouldn't have changed.

I had enable the new Safe Access feature on my profiles and also disabled the DNS Server zones that had previously been blocking access (as per Apple's guidance). So now I've re-enabled the two DNS Server zones and the notifications seem to have stopped. I would guess that the Safe Access feature is not responding correctly to how iOS expects for a correct block, and so it is giving more a service status notification. Whatever, it's rather annoying.

Here's how to implement Apple's recommended block using DNS Server.

Info - If you want to block iCloud Private Relay at home

One of the features of Apple's iCloud subscription is the (beta) Private Relay. This is in effect a VPN service for Safari web browser and Mail app. As far as I can see. Once the feature is enabled in iOS 15 / macOS Monterey it will bypass any filtering that you've implemented at home, and...

www.synoforum.com

 

[fredbert]

I'm wondering if the best way to stop the notifications on your home wireless LAN will be to go the iOS Settings /Wi-Fi and select your home network. Now ensure that Limit IP Address Tracking is disabled. I find a Wi-Fi off/on toggle helps sometimes too. This and use the iCloud Private Relay blocking techniques.

 

[james22]

Hello. Just to clarify, if a user has Private Relay enabled on their Apple device then the traffic bypasses SA? On the contrary if PR is disabled on the device then SA will filter the traffic and apply the rules.

 

[fredbert]

In short: yes.

With Safe Access in SRM 1.3 there is the option, in each profile, to block access to iCloud Private Relay. Before this in SRM 1.2 you had to set local DNS resolution to give false IP addresses for a couple of Apple URLs.

This is the same scenario where a device uses any Internet VPN service to tunnel through the local and ISP infrastructure, thereby breaking out onto the Internet from the VPN service's gateway.

Since updating to iOS 16 I have had more iOS notifications from private relay saying it's on/off while I'm always on the same home SSID. I've discussed this with Synology Support and the feedback is that they are doing the same mechanism in SRM 1.3 Safe Access that Apple is recommending to do in DNS. I'm feeling that it's either an SRM 1.3 WiFi stability issue or more likely something in iOS 16 flapping the wireless and mobile connections. I don't have the same issue with an WiFi-only iPad on 15.7.

 

[james22]

Ok. I will have to explore this a little more with my own devices some on 15.7 and others on 16. Thanks for the help and post updates.