Forum Discussion

ddaniel's avatar
ddaniel
Meteor
2 months ago

Blocking icloud private relay "nicely"

I would like to block "icloud private relay" in such a way that the user would be notified and able to continue without icloud private relay.   Apple's recommended way to do this is to block DNS requests to mask.icloud.com and mask-h2.icloud.com so a "no error/no answer" or NXDOMAIN response is returned. This alerts the users that they either need to disable private relay or choose another network.  Details are here: Prepare your network or web server for iCloud Private Relay - iCloud - Apple Developer
  Is there a way to configure this using only Cato?  I cannot see how to create a custom DNS rule to block specific queries, and I cannot see how to create a custom IPS rule either.
  Is there a recommended way to do this?  What are others doing?  I am in a Windows shop.  I could redirect DNS queries to a Windows DNS server and use DNS query filtering, but would rather do a Cato only solution if possible.

Per Apple:  Some enterprise or school networks might be required to audit all network traffic by policy, and your network can block access to Private Relay in these cases. The user will be alerted that they need to either disable Private Relay for your network or choose another network.

The fastest and most reliable way to alert users is to return either a "no error no answer" response or an NXDOMAIN response from your network’s DNS resolver, preventing DNS resolution for the following hostnames used by Private Relay traffic. Avoid causing DNS resolution timeouts or silently dropping IP packets sent to the Private Relay server, as this can lead to delays on client devices.

mask.icloud.com mask-h2.icloud.com


 

2 Replies

  • I'd think if you block QUIC, that would take care of it. I think Cato recommends you do this anyway. 

    If for some reason you can't block QUIC completley via the internet firewall, I suppose you could make a custom app for UDP/443 to the relevant domains and block that. 

    iCloud Private Relay uses QUIC, a new standard transport protocol based on UDP. QUIC connections in Private Relay are set up using port 443

  • Thanks for the reply.  I do block QUIC which makes it stop working but doesn't alert the user.  In most cases, they need to manually turn it off to work.  And our support folks get a call as to why their wifi is not working.  My goal is to block it cleanly so that their phone or macbook lets them know what is going on.   According to Apple, the proper way is to return NXDOMAIN to the DNS queries.  But the DNS queries are not blocked, only their access once the device tries to enable the icloud private relay.

    I think that if the DNS filtering offered custom rules, I could block the two DNS records they use to enable it and that would trigger the device to gracefully alert the user.  Although the DNS query needs a NXDOMAIN reply and the DNS filtering may only offer to drop the request.