3

Ability to NXDOMAIN or NODATA particular domains

There's a few use cases around this, but most importantly: making Firefox not use DNS-over-HTTPS and disabling iCloud Private Relay.

These are both done by NXDOMAIN-ing or NODATA-ing canary domains:

  1. use-application-dns.net (Firefox) [currently NODATAs by default, I'm guessing this was intentional]
  2. mask.icloud.com (iCloud Private Relay)
  3. mask-h2.icloud.com (iCloud Private Relay)

Denylist-ing the iCloud domains (or enabling the Parental Controls bypass feature) makes them return 0.0.0.0, but it requires either NXDOMAIN or NODATA,  thus the Denylist/Parental Controls feature doesn't actually do anything to disable the service.

The Parental Controls feature to prevent bypassing doesn't work here -- iCloud will allow itself to be enabled, and then doh.dns.apple.com gets denied, but the underlying VPN-like feature still continues to work. I'd find it acceptable for this setting to cause the domains to NXDOMAIN if that's the easiest path forward, but it would be nice if Denylist could specify 0.0.0.0/NODATA/NXDOMAIN as the response.

3replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • I agree to this. I also need this to block iCloud Private Relay. It prevents the use of NextDNS this way.

    Like
  • I agree. I would love to block iCloud Private Relay on my network so it can use NextDNS!! +1

    Like
  • We will automatically use NXDOMAIN when those domains are blocked with the next server release. 0/0 used to work, they probably changed something.

    Like 1
Like3 Follow
  • Status Planned
  • 3 Likes
  • 1 mth agoLast active
  • 3Replies
  • 131Views
  • 4 Following