Apple introduced iCloud Private Relay in 2021, and it offers a way to tunnel certain traffic on Apple devices through private infrastructure maintained by Apple, including Safari and iCloud Mail.
Note: UniFi Network 9.5.21 was used in this guide
If you want fast and reliable UniFi hosting, check out HostiFi with fast support, regular backups, managed updates and prices from just $9 per month.
To learn more about our hosting plans, create an account and get started today.
Why would iCloud Private Relay need to be blocked?
Certain industries such as government and education might have logging or auditing requirements and iCloud Private Relay can affect this from working reliably. This can include content filtering, malware scanning and more.
Blocking iCloud Private Relay
iCloud Private Relay can be blocked fairy easily, but due to DNS being involved it is limited to UniFi setups that have either a UXG or a UniFi Cloud Gateway.
In order to reduce any friction for the end users, Apple has provided instructions on how to let Apple devices know that it has been blocked to reduce any timeouts.
Using the built in DNS feature in UniFi, the two domains which are used can be provided with an NXDOMAIN response using a CNAME record. These domains are mask.icloud.com and mask-h2.icloud.com.
How to block iCloud Private Relay
First open UniFi Network, then click on Settings
DNS settings are managed within the new Zone-Based Firewall, so once in Settings click on Policy Table
We now need to add two DNS CNAME records, to do this click on Create New Policy
Then select DNS
For Host, select CNAME in the drop down menu
For the Alias Domain Name, type in mask.icloud.com and then for Target Domain Name, type in NXDOMAIN
Click Add and then repeat this process for the second domain, mask-h2.icloud.com
Once done, clients who now join your network will be greeted with the following message. Users can either join another WiFi/wired network or use the network without iCloud Private Relay.
Block external DNS Servers (Optional)
Because the DNS records that are set within UniFi only apply when DNS requests are routed through the UXG - if someone was to use an external DNS server, this would bypass anything set above.
It is an optional step, but blocking any external DNS servers can be set if this is a concern.
How to block external DNS servers in UniFi
First open UniFi Network, then click on Settings
Then, open the Policy Table
Click on Create New Policy
Next, select Firewall
Enter in a name, such as Block External DNS. Then, in here:
Select Internal as the Source Zone
Choose either Any, Device, Network, IP or MAC
Leave Port as Any
Set Action to Block
Under Destination Zone, Choose External
Under Port, choose Specific
In the Service drop down menu, select DNS
Once finished click Add Policy
Once finished, test that any external DNS servers are being blocked by running:
nslookup DOMAIN DNS_SERVER IP
Example:
nslookup hostifi.com 8.8.8.8
If everything is setup correctly it should timeout and then fail. Users who set their DNS to any external DNS servers will not be able to access the internet.
HostiFi
HostiFi provides hosting for both Ubiquiti and TP-Link software-defined-networking (SDN) applications, with servers for UniFi, UISP and Omada. We also offer professional networking consulting, with HostiFi Pro.
If you run into any issues, send an email to support@hostifi.com or contact us via live chat.