2

Is NextDNS compatible working with iCloud private relay?

Hi, I would like to ask if NextDNS can work with iCloud Private Relay? I just upgraded to iOS 15.4 from iOS 14.8.1 a few days ago and it seems like NextDNS don’t work with iCloud Private Relay because I keep getting this error whenever I try to go to any website:

Safari cannot open the page because it
could not establish a secure connection to
the server.
 

Anybody know if I did anything wrong or…? Thanks 

18 replies

null
    • JasonMatthew_Pridgen
    • 2 yrs ago
    • Reported - view

    Some people on here might have more knowledge than me but my experience shows iCloud Private Relay would conflict with NextDNS. Also I would see in the WiFi DNS manual settings it would say DNS is handled by Private Relay, not my personalized NextDNS. Someone on here in another thread said he could see when both Private Relay and NextDNS were running together there was 2 lookups in his logs showing clearly so it’s like 2 DNS services we’re doing it instead of just 1, NextDNS. 
    Disabling Private Relay I would think (mine is currently this) showing the green dot that it’s connected to NextDNS. 
    Private Relay sometimes for me would not open pages and in the Apple Beta information it describes this issue might happen. 
    I’m constantly changing things and tinkering with settings though so im not wholly on NextDNS while doing some things. It is solid though, meaning NextDNS. Wish you well. 

    • JasonMatthew_Pridgen
    • 2 yrs ago
    • Reported - view

    I meant to add, turning off iCloud Private Relay might get you running again 

      • Ivan.1
      • 2 yrs ago
      • Reported - view

      Jason-Matthew thanks for your response. Yes if I turn Private Relay off, NextDNS will work and I can access websites

       

      I tried to use the Apple Configuration Profile Generator at apple.nextdns.io and was also unsuccessful in accessing any websites

       

      I then tried to use both the IPv6 and IPv4 addresses separately provided in the setup page in WiFi’s DNS server when on my home’s WiFi network but unfortunately it seems to have no effect as the DNS server still seems to be Apple’s iCloud Private Relay’s servers…

    • Steven_Miller
    • 1 yr ago
    • Reported - view

    New user here, but I am running nextDNS along with Apple private relay with IOS and not having any issues. The logs show blocking happening and an extended DNS leak test shows the nextDNS servers. The nextDNS configuration light is green. I like this combination because I get the benefits of both IP masking and tracker blocking without the overhead of a VPN. Am I missing something?

      • Pierre_Cartier
      • 1 yr ago
      • Reported - view

      Steven Miller Apple says the IP is hidden but this isn't true. You can check for your IP on any website IP check and they will reveal your real IP. 

      https://twitter.com/mysk_co/status/1594515229915979776?s=46&t=iVAcYuph4tvwNwVi1GgOVA

      And even by using a VPN Apple leaks your IP. 

      https://twitter.com/mysk_co/status/1579997801047822336?s=46&t=iVAcYuph4tvwNwVi1GgOVA

      Don't fool yourself Apple privacy is a smoke screen. 

      https://fingerprint.com/blog/ios15-icloud-private-relay-vulnerability/

      • Steven_Miller.1
      • 1 yr ago
      • Reported - view

      Pierre Cartier "Apple says the IP is hidden but this isn't true. You can check for your IP on any website IP check and they will reveal your real IP. "

      Absolutely untrue, at least for me but you are claiming that Apple has the entire world fooled on this?

      "by using a VPN Apple leaks your IP. "

      I believe Apple says clearly that Private Relay only protects Safari browsing, nothing else.

      "Don't fool yourself Apple privacy is a smoke screen. "

      Meaning what. I believe the consensus is that it is an easily-used improvement for the average user. Those in need of the highest level of security clearly would look elsewhere.

      • Pierre_Cartier
      • 1 yr ago
      • Reported - view

      Steven Miller I gave you links from cybersecurity researchers with tangible facts, because I am not one of them and I think they know better than me. But if you know better than them what can I say?

      And yes Apple fooled many people and authorities on many topics (privacy, ads, repairs, user security and tracking...), like other GAFAM. That's also why they have now many legal issues to deal with. 

      • Steven_Miller.1
      • 1 yr ago
      • Reported - view

      Pierre Cartier Your statement was :

      "Apple says the IP is hidden but this isn't true. You can check for your IP on any website IP check and they will reveal your real IP. "

      This is not some obscure technically sophisticated claim but rather the most easily verified fact that anybody with the most basic capabilities can do for themselves. So, once again, are you claiming that Private Relay does not mask IP addresses and based on simple website IP checks?  If Apple has fooled the entire world on this, it would be a most astounding act of deception.

      It seems you have some axe to grind with Apple because this claim is absurd, sorry. That said, nobody is claiming that PR is as good as a proper VPN so that is a strawman argument.

      • Pierre_Cartier
      • 1 yr ago
      • Reported - view

      Steven Miller The fanboy talking who doesn't know or doesn't want to know, he knows better. Unfortunately you don't want to inform yourself and just trust blindly what you have been told even when serious people (researchers) can show you a tangible truth. Private Relay leaks users information, period. 

      Just another  mundane experience: 

      "If Amazon.com can determine one’s real IP Address that’s a SIMPLE PROOF that Private Relay CANNOT BE TRUSTED TO WORK on ANY website, especially Amazon and Google (two of the “biggies”)."

      https://forums.macrumors.com/threads/security-hole-amazon-com-captured-my-real-ip-address-despite-private-relay-being-turned-on.2355822/

      • Steven_Miller.1
      • 1 yr ago
      • Reported - view

      Pierre Cartier "The fanboy "

      Yes, now come the personal insults. Could you possibly be more stereotypical of social media types?

      " Unfortunately you don't want to inform yourself and just trust blindly what you have been told even when serious people (researchers) can show you a tangible truth."

      So one guy on a forum, with no public credentials as a security researcher, posts his unverified experience. And that's your evidence of a "tangible truth." If so, there should be dozens and dozens of similar reports from trusted reviewers and websites. So, where are they or is a single such report enough to invalidate the entire technology? And if Apple is behind this conspiracy is Cloudflare in on the act:?

      https://blog.cloudflare.com/icloud-private-relay/

      If I am a fanboy because I work with reliable sources, what does that make you? I am sure more ad hominem attacks to follow right? You get one free one then a block.

      • Michael_Smith
      • 1 yr ago
      • Reported - view

      Pierre Cartier you’re confusing the Amazon app with Safari.  The IP protection is only for Safari and mail.  This might help clear it up, lit does indeed work very well even with Amazon.

      https://whatismyipaddress.com/everything-you-need-to-know-about-apple-private-relay

      • Pierre_Cartier
      • 1 yr ago
      • Reported - view

      Michael S Thanks for the response but it sad you didn't take the time to read the person's post before answering.

      "I logged into Amazon.com today using Safari with Private Relay turned ON over a cellular"

      No confusion here mate. 

      • Pierre_Cartier
      • 1 yr ago
      • Reported - view

      Steven Miller 

      1. I am a full Apple user with up to $9K devices at home. FYI I also have all Blue Notes collection. So you can also call me an Apple Fan and even a jazz addict/fan. So maybe you should open a dictionary to review what fan means cause it is far from being an insult. 

      2. About the sources I gave you, you unfortunately just picked the one that suits your arguments, selective mind and pretty hypocrite of you.

      You are just in bad faith and that will be my last. Enjoy Private Relay. 

      • Jason_Kratz.2
      • 1 yr ago
      • Reported - view

      For anyone finding this later...

       

      First link has nothing to do with Private Relay. Its about an ID.

      Second link is a bug that is easily worked around (kill/restart apps after turning on the vpn).  Not sure if they fixed it in later 16 releases or not.  Also has nothing to do with Private Relay which is not a VPN.

      Third link isn't an issue anymore. Also a bug likely during the beta period given how old that article is.

       

      @Pierre Cartier you posted this at the beginning of 2023 with "proof"  from very old articles even when you posted it. Try harder next time.

    • Alex.8
    • 1 yr ago
    • Reported - view

    When I use NextDNS on my Mac and iPhone with the Private Relay on the DNS lookup shows Cloudflare DNS, instead of NextDNS. So I assume it's not working when both are on.

    • pierie
    • 1 yr ago
    • Reported - view

    if you use an apple configuration profile or the nextdns app, private-relay is compatible with nextdns. if you use safari, the test on the nextdns page under "installation" fails, but the resolution still runs via nextdns.

      • eager
      • 3 mths ago
      • Reported - view

      ^ Confirmed. Thanks @pierie.

      NextDNS devs: it looks like a presentational bug on your end that's confusing for the user. Consider just removing that box if it is impossible to confirm the state for a user who uses both Private Relay and NextDNS. Of course, if I'm wrong in some way, please correct what I'm saying.   

      Reproduction steps:

      1. Turn on Private Relay and NextDNS. 
      2. Block x.com in DenyList.
      3. Close your browser. Wait a few minutes. 
      4. Turn off all device radios then turn on airplane mode.
      5. Turn off airplane mode then turn on any remaining radios that didn't turn on.
      6. Visit my.nextdns.io. Observe that it's saying you're using Cloudflare instead of NextDNS.
      7. Open Safari private browsing (or any browser's), and visit x.com. Observe that it's blocked. If your browser has somehow cached some of the site, it'll be broken rather than blocked, but it's blocked from here.
      • NextDNs
      • 3 mths ago
      • Reported - view

       this is due to the way Apple Private Relay works. When Apple Private Relay is enabled, your DNS actually becomes Cloudflare (or Akamai/Fastly). When a DNS mobile configuration is used, we convinced Apple to also check the DNS resolver of the mobile configuration in parallel. The result of the DNS request is ignored, unless it returns a blocking response, in which case the whole DNS resolution is blocked.

      This is far from ideal and won’t work with all configurations. For instance, if you enable block pages, the DNS response is rewritten to point to our blockpage server, which can’t be detected by Apple anymore. Same for rewritten responses etc.

      For all those reasons, we can’t recommend using Apple Private Relay with our service. Changing the status page to « all good » in this configuration would be lying.

Login to reply

Content aside

  • 2 Likes
  • 3 mths agoLast active
  • 18Replies
  • 4432Views
  • 12 Following