Apple Private Relay slowdown
I used the Apple Private Relay target list to block it on my network.
My wife complains about Internet problems with her iPhone now, and I ran across the following note from Apple:
Allow for network traffic audits
Some enterprise or school networks might be required to audit all network traffic by policy, and your network can block access to Private Relay in these cases. The user will be alerted that they need to either disable Private Relay for your network or choose another network.
The fastest and most reliable way to alert users is to return either a "no error no answer" response or an NXDOMAIN response from your network’s DNS resolver, preventing DNS resolution for the following hostnames used by Private Relay traffic. Avoid causing DNS resolution timeouts or silently dropping IP packets sent to the Private Relay server, as this can lead to delays on client devices.
Is there a way I can do this in Firewalla? I'm comfortable with ssh and the command line, though not necessarily the low level network commands.
-
Ah, fantastic, thank you for pointing that out!
I'll have to dig into what's happening with my wife's phone. Would the block of doh.dns.apple.com (or even the Apple Private Relay) servers cause issues - even with the NXDOMAIN response?
Final question: my phone is in a group that's configured to use Unbound, and also DoH is configured for "all devices". The nslookup appears to be using 8.8.8.8 as its server.
~ $ nslookup doh.dns.apple.com
Server: 8.8.8.8
Address: 8.8.8.8#53
** server can't find doh.dns.apple.com: NXDOMAIN
dnsleaktest.com correctly shows my external IP address. Am I misunderstanding the nslookup output?
Thanks,
David
-
I found the reason the nslookup via Termux wasn't using the system settings, but /usr/etc/resolv.conf
Thanks again for the help!
Please sign in to leave a comment.
Comments
4 comments