top of page

Kiwire 3.0 Administrator         >        Security Advisories         >          iCloud Private Relay

Kiwire 3.0 Administrator - Security Advisories

Prepare Your Network or Web Server for iCloud Private Relay
 

iCloud Private Relay is a new internet privacy service offered as a part of an iCloud+ subscription that allows users on iOS 15, iPadOS 15, and macOS Monterey to connect to and browse the web more privately and securely. Private Relay protects users’ web browsing in Safari, DNS resolution queries, and insecure http app traffic. Internet connections set up through Private Relay use anonymous IP addresses that map to the region a user is in, without divulging the user’s exact location or identity. Learn how to provide the best possible experience for users of Private Relay on your network.

Allow for network traffic audits

Some enterprise or school networks might be required to audit all network traffic by policy, and your network can block access to Private Relay in these cases. The user will be alerted that they need to either disable Private Relay for your network or choose another network.

The fastest and most reliable way to alert users is to return either a "no error no answer" response or an NXDOMAIN response from your network’s DNS resolver, preventing DNS resolution for the following hostnames used by Private Relay traffic. Avoid causing DNS resolution timeouts or silently dropping IP packets sent to the Private Relay server, as this can lead to delays on client devices.
Kiwire Solutions

For WiFi operators and service providers, you can prevent the Private Relay service from working on your network by blocking DNS requests to both mask.icloud.com and mask-h2.icloud.com respectively. If the device cannot reach these domains, then the service is disabled and not available.

This is officially supported by Apple, which provided these instructions. It is also useful if you have any regulations or laws in your country where you need to ensure you retain any web browsing history in case of an official request from the authorities.

mask.icloud.com

mask-h2.icloud.com
bottom of page