Add a Warning about iCloud private Relay.

Question

Add a Warning about iCloud private Relay.

BirdInFire opened this issue 3 years ago · comments

Hello @paulmillr
It can be interesting to add a warning, that iCloud private relay redirect DNS query AND only DNS query of Safari (for now).

So for those who use it they must continue to install profile for DNS query of other APP and Warning them if they use it with profile of DNS who do Adblock the Adblock capability will not work on safari.

Paul Miller commented 3 years ago

sure

Orazio · Answer 1 · Sat Sep 30 2023 18:50:01 GMT+0800 (China Standard Time)

That's incorrect, iCloud Private Relay redirects all DNS requests, all Safari traffic and all HTTP-only traffic, however if encrypted DNS is setup, that will be used for resolution instead of the relay encrypted oblivious DNS.

To protect the privacy of DNS name resolution for all queries sent by the device and prevent such tracking, Private Relay uses Oblivious DNS over HTTPS (ODoH).

If a user has configured custom-encrypted DNS settings using a profile or an app, the DNS server specified will be used instead of ODoH.

Source: https://www.apple.com/privacy/docs/iCloud_Private_Relay_Overview_Dec2021.PDF

BirdInFire · Answer 2 · Sun Oct 01 2023 06:03:20 GMT+0800 (China Standard Time)

That's incorrect, iCloud Private Relay redirects all DNS requests, all Safari traffic and all HTTP-only traffic, however if encrypted DNS is setup, that will be used for resolution instead of the relay encrypted oblivious DNS.

To protect the privacy of DNS name resolution for all queries sent by the device and prevent such tracking, Private Relay uses Oblivious DNS over HTTPS (ODoH).

If a user has configured custom-encrypted DNS settings using a profile or an app, the DNS server specified will be used instead of ODoH.

Source: https://www.apple.com/privacy/docs/iCloud_Private_Relay_Overview_Dec2021.PDF

It's technically also incorrect because they only do that if the profile is valid and it will not redirect but only check if they must block it if not they use their so any dns rewrite (instead of NXDOMAIN like 0.0.0.0) will be ignored by default)

Orazio · Answer 3 · Sun Oct 01 2023 08:08:04 GMT+0800 (China Standard Time)

if the profile is valid

What do you mean by valid?

it will not redirect but only check if they must block it if not they use their so any dns rewrite (instead of NXDOMAIN like 0.0.0.0) will be ignored by default)

If the user has configured DoH (or a VPN with DNS), all queries go through that server instead of their. It's not like a custom encrypted DNS is used as content filter for their DNS, what makes you say that? Documentation states otherwise.

BirdInFire · Answer 4 · Mon Oct 02 2023 01:17:27 GMT+0800 (China Standard Time)

if the profile is valid

What do you mean by valid?

it will not redirect but only check if they must block it if not they use their so any dns rewrite (instead of NXDOMAIN like 0.0.0.0) will be ignored by default)

If the user has configured DoH (or a VPN with DNS), all queries go through that server instead of their. It's not like a custom encrypted DNS is used as content filter for their DNS, what makes you say that? Documentation states otherwise.

Best way to try use a dns that provides verification like quad9 or dns0.eu with the profile their verification page will never work since Apple only use them to verify if the domain must be blocked or not why you see the results in dns log

Another way do a dns leak and you will see the relay dns always appear (cloudflare / fastly)

Orazio · Answer 5 · Wed Oct 11 2023 14:25:22 GMT+0800 (China Standard Time)

I've just tried with a Quad9 DNS-over-HTTPS profile and it works as described in the documentation. Safari web browsing goes though the relay but DNS goes through Qua9 https://on.quad9.net/

BirdInFire · Answer 6 · Wed Oct 11 2023 16:25:45 GMT+0800 (China Standard Time)

I've just tried with a Quad9 DNS-over-HTTPS profile and it works as described in the documentation. Safari web browsing goes though the relay but DNS goes through Qua9 https://on.quad9.net/

Are you sure private relay work properly, I never had any yes on this page, on multiple device with relay enabled over multiple network and account using quad9 profile.

Try to check with check my ip to see if he tell well you using private relay.

Edit: very same with cloudflare and their 1.1.1.1/help, I never had a "yes" in https (when using https) when using profile.

Orazio · Answer 7 · Wed Oct 11 2023 17:08:50 GMT+0800 (China Standard Time)

on.quad9.net doesn't seem to use the standard DNS detection trick where the page sends queries to randomly generated hostnames. Sometimes it says yes, sometimes it says no. https://mullvad.net/check instead always works. The public IP is on of the iCloud egress relays list, and the dns is PCH Franfurt Management, which seems to be a Quad9 hosting sponsor https://www.quad9.net/about/sponsors/

Orazio · Answer 8 · Wed Oct 11 2023 17:23:38 GMT+0800 (China Standard Time)

By the way, even though this is supposed to work (modulo Apple bugs), using custom DNS is counterproductive. On of the purpose of iCloud Private Relay is to thwart IP based fingerprinting and tracking. If you use another DNS, websites can detect that and you will stand out compared to the majority of other relay users.

BirdInFire · Answer 9 · Thu Oct 12 2023 01:45:36 GMT+0800 (China Standard Time)

By the way, even though this is supposed to work (modulo Apple bugs), using custom DNS is counterproductive. On of the purpose of iCloud Private Relay is to thwart IP based fingerprinting and tracking. If you use another DNS, websites can detect that and you will stand out compared to the majority of other relay users.

Their system is based on ODOH so technically it's can be done privately

Orazio · Answer 10 · Thu Oct 12 2023 01:47:33 GMT+0800 (China Standard Time)

Their system is based on ODOH so technically it's can be done privately

Yes... but it's not used if you apply a custom DNS via profile or VPN