Whitelist : xp.apple.com - this is used for apple device restore

Question

Whitelist : xp.apple.com - this is used for apple device restore

zeezeepiggy opened this issue 2 years ago · comments

zeezeepiggy commented 2 years ago

Submit Form

Get your issue resolved quickly! Fill in the form accurately.

Lists in use:

mini
Lite
Pro
Xtra

Client:
Itunes, MacOS, nextdns

Domains:

xp.apple.com

Details:

xp.apple.com Is used for device updates and OS restore of macos and ios.

this is not a telemetry, but a common checker of the device.

i was restoring my personal MacBook pro and it keeps on failing with unable to connect to apple server. I then found the culprit that xp.apple.com is being blocked by 1host Pro. I change the blocklist and white list it. The restore went fine.

sorry. no screentshot of the failed macbook….

+++++

to verify this, i went to check my companies firewall allow list document ( my company uses apple products and we manages some blocklist as well), then wiki states the below:

XP.APPLE.COM - Allowed for device Restore and Update. Brick Device Possible if this is Blocked.
*SMOOT.APPLE.COM - Needs to be allowed. design team complains Spotlight Search not working.

Details verified with Apple Business and Tech Support. (IM8908765 and IM4326578)

both of these are blocked by 1host Pro. Can we unblock these? I cannot always use my companies DNS/VPN since they monitor it.

Thank you for supporting 1Hosts.

_{It’s people like you who make these lists great! ❤}

Gerd · Answer 1 · Tue Jun 14 2022 18:44:58 GMT+0800 (China Standard Time)

I had suspected that this would lead to problems, the domains are not for nothing on the Apple support list of domains to be released in corporate networks. But I could not prove it.
See: #536

You won't find them on common blocklists either.

badmojr · Answer 2 · Thu Jun 16 2022 09:42:42 GMT+0800 (China Standard Time)

i was restoring my personal MacBook pro and it keeps on failing with unable to connect to apple server.

That doesn't scare you a bit?

zeezeepiggy · Answer 3 · Thu Jun 16 2022 12:39:33 GMT+0800 (China Standard Time)

i was restoring my personal MacBook pro and it keeps on failing with unable to connect to apple server.

That doesn't scare you a bit?

Initially It did, but i believe every error has a solution. So i did some normal debugging until i found the solution.

Also, I now work in tech and my new team also fixes issues with mac and other apple device issues. We work with the Apple Business Tech Team when we encounter issues. We originally had a very aggressive firewall in the company, but some of them we whitelisted. Hope it makes sense.

zeezeepiggy · Answer 4 · Thu Jun 16 2022 12:49:26 GMT+0800 (China Standard Time)

Also, should we add this in 1host Extra instead?

badmojr · Answer 5 · Fri Jun 17 2022 12:02:14 GMT+0800 (China Standard Time)

Also, should we add this in 1host Extra instead?

I'm afraid not! We currently don't have this feature, as can be seen here.

zeezeepiggy · Answer 6 · Fri Jun 17 2022 15:43:59 GMT+0800 (China Standard Time)

@badmojr i will let you decide if you want to whitelist this or not in the Pro blocklist.

For the time being, I will allowlist this domain in nextdns and also the *smooth.apple.com… to prevent device bricking.

I really want yo share the documents from my Company about the apple whitlisted domains and their reason plus their IM number but I can’t as its confidential and i dont want to get into trouble. 😆✌🏻✌🏻

Please close if required.

badmojr · Answer 7 · Sat Jun 18 2022 01:30:47 GMT+0800 (China Standard Time)

OK! Closing...

Hal · Answer 8 · Thu Jul 07 2022 22:51:38 GMT+0800 (China Standard Time)

@badmojr

XP.APPLE.COM - Allowed for device Restore and Update. Brick Device Possible if this is Blocked.

https://oisd.nl/excludes.php?w=xp.apple.com - Required for installing, restoring, and updating macOS, iOS, iPadOS, watchOS, and tvOS. See https://support.apple.com/en-us/HT210060

*SMOOT.APPLE.COM - Needs to be allowed. design team complains Spotlight Search not working.

https://oisd.nl/excludes.php?w=smoot.apple.com
specifically: https://oisd.nl/excludes.php?w=api.smoot.apple.com

badmojr · Answer 9 · Mon Nov 14 2022 20:18:43 GMT+0800 (China Standard Time)

@yokoffing , @zeezeepiggy , @hagezi

https://youtu.be/8JxvH80Rrcw

Gerd · Answer 10 · Mon Nov 14 2022 21:10:32 GMT+0800 (China Standard Time)

@badmojr Yes, thank you, I was completely wrong.
https://gizmodo.com/apple-iphone-analytics-tracking-even-when-off-app-store-1849757558

Hal · Answer 11 · Tue Nov 15 2022 00:34:30 GMT+0800 (China Standard Time)

I hope Apple disables this in the future. I have a lot of anti-tracking measures in place, up to breaking functionality of a few things.

However, all the issues we've documented historically still occur (AFAIK) when blocking ~~xp and~~ smoot. The Pro list description says it may cause "some minimal breakages", and I consider these a few rings above small breakage. And unlike something like graph.facebook.com, the issues impact users on the operating system level, not an optional social media site.

Update: nextdns/metadata#1132

Gerd · Answer 12 · Wed Nov 30 2022 15:19:56 GMT+0800 (China Standard Time)

@badmojr
I have found something that does not work by blocking xp.apple.com. 4 out of 4 Apple Watches in my household would not update. The behavior is as follows:
The Watch shows that an update is necessary, if you start it it hangs at "search for update". I waited 10 minutes before cancelling the process. I tried it on every Watch.
Unblocking xp.apple.com fixed the problem.
I have removed xp.apple.com from my blocklists.

ping @AdguardTeam @jellizaveta @Alex-302

Alex · Answer 13 · Thu Dec 01 2022 01:09:13 GMT+0800 (China Standard Time)

@hagezi Thanks, checked and removed.