
Ability to NXDOMAIN or NODATA particular domains
There's a few use cases around this, but most importantly: making Firefox not use DNS-over-HTTPS and disabling iCloud Private Relay.
These are both done by NXDOMAIN-ing or NODATA-ing canary domains:
- use-application-dns.net (Firefox) [currently NODATAs by default, I'm guessing this was intentional]
- mask.icloud.com (iCloud Private Relay)
- mask-h2.icloud.com (iCloud Private Relay)
Denylist-ing the iCloud domains (or enabling the Parental Controls bypass feature) makes them return 0.0.0.0, but it requires either NXDOMAIN or NODATA, thus the Denylist/Parental Controls feature doesn't actually do anything to disable the service.
The Parental Controls feature to prevent bypassing doesn't work here -- iCloud will allow itself to be enabled, and then doh.dns.apple.com gets denied, but the underlying VPN-like feature still continues to work. I'd find it acceptable for this setting to cause the domains to NXDOMAIN if that's the easiest path forward, but it would be nice if Denylist could specify 0.0.0.0/NODATA/NXDOMAIN as the response.