Apple introduced iCloud Private Relay in 2021, and it offers a way to privately tunnel certain traffic on Apple devices through private infrastructure maintained by Apple, including Safari and iCloud Mail.

Why would iCloud Private Relay need to be blocked?

Certain industries such as government and education might have logging or auditing requirements and iCloud Private Relay can affect this from working reliably. This can include content filtering, malware scanning and more.

Blocking iCloud Private Relay

iCloud Private Relay can be blocked fairy easily, but due to DNS being involved it is limited to UniFi setups that have either a UXG or a UniFi Cloud Gateway

In order to reduce any friction for the end users, Apple has provided instructions on how to let Apple devices know that it has been blocked to reduce any timeouts.

Using the built in DNS feature in UniFi, the two domains which are used can be provided with an NXDOMAIN response using a CNAME record. These domains are mask.icloud.com and mask-h2.icloud.com.

How to block iCloud Private Relay

First open UniFi Network, then click on Settings

DNS settings are managed within the new Zone-Based Firewall, so once in Settings click on Policy Table

We now need to add two DNS CNAME records, to do this click on Create New Policy

Then select DNS

For Host, select CNAME in the drop down menu

For the Alias Domain Name, type in:

mask.icloud.com

And then for Target Domain Name, type in:

NXDOMAIN

Click Add and then repeat this process for the second domain:

mask-h2.icloud.com

Once done, clients who now join your network will be greeted with the following message. Users can either join another WiFi/wired network or use the network without iCloud Private Relay.

Block external DNS Servers (Optional)

Because the DNS records that are set within UniFi only apply when DNS requests are routed through the UXG - if someone was to use an external DNS server, this would bypass anything set above.

It is an optional step, but blocking any external DNS servers can be set if this is a concern.

How to block external DNS servers in UniFi

First open UniFi Network, then click on Settings

Then, open the Policy Table

Click on Create New Policy

Next, select Firewall

Enter in a name, such as Block External DNS. Then, in here:

• Select Internal as the Source Zone

• Choose either Any, Device, Network, IP or MAC

• Leave Port as Any

• Set Action to Block

• Under Destination Zone, Choose External

• Under Port, choose Specific

• In the Service drop down menu, select DNS

• Once finished click Add Policy

Once finished, test that any external DNS servers are being blocked by running:

nslookup DOMAIN DNS_SERVER IP

Example:

nslookup hostifi.com 8.8.8.8

If everything is setup correctly it should timeout and then fail. Users who set their DNS to any external DNS servers will not be able to access the internet.

Video

HostiFi

HostiFi provides hosting for Ubiquiti software platforms, with servers for UniFi and UISP. We also offer network consulting, with HostiFi Professional Services.