2

NextDNS and iCloud Private Relay (macOS and iOS)

There are a lot of posts/conversations here about this subject but I haven't seen any definitive answer on how NextDNS does or does not work in conjunction with Apple's Private Relay service. I have set up two devices (all on the most current versions of either macOS or iOS as of the posting of this question):

  1. On macOS (using Safari), with my NextDNS profile installed and Private Relay OFF, I see the following message on a my NextDNS dashboard: "This device is not using NextDNS.
    This device is currently using ”UUNET” as DNS resolver."
  2. On macOS (using Safari), with my NextDNS profile installed and Private Relay ON, I see the following message on a my NextDNS dashboard: "This device is not using NextDNS.
    This device is currently using ”Cloudflare” as DNS resolver.." I suppose this is correct?
  3. On iOS (with a Profile installed), if Private Relay is ON, the NextDNS dashboard indicates that NextDNS is not being used
  4. On iOS (with a Profile installed), if Private Relay is OFF, everything seems to be working as it is supposed to and the NextDNS dashboard signals green - that NextDNS is being used.

It is difficult to tell whether NextDNS and Private Relay can or should be used together. Do you have definitive guidelines that provide specific information on exactly how to use NextDNS properly in an Apple environment using a Profile? Perhaps Profiles are not the best way to go. Would downloading the apps to each Apple OS be a better approach?  I'm trying to understand the most appropriate way to use the service. Thank you for any guidance you can provide.  - Steve.

12 replies

null
    • anon.3
    • 7 mths ago
    • Reported - view

    I second this bug. NextDNS profiles used to work perfectly with iCloud Private Relay; so that only the Safari with iCloud Private Relay would show as not using NextDNS and all other cases would use NextDNS. Now, NextDNS never works in any case unless I use third party software like Adguard to enforce NextDNS, and iCloud Private Relay now does not work under any case.

    • Oli.1
    • 7 mths ago
    • Reported - view

    @steve.15 Have you verified your DNS IP addresses in Network preferences?

    @anon.3 Concerning AdGuard and iCloud Private Relay... https://adguard.com/kb/adguard-for-mac/solving-problems/icloud-private-relay/

      • Steve.15
      • 7 mths ago
      • Reported - view

       Thanks for your message. I sincerely appreciate the guidance. I have not updated DNS settings directly in my network preferences. I simply downloaded the appropriate (macOS or iOS) profile from NextDNS and installed it for each device. In addition to that, should I also be updating the DNS settings for my wifi connection? I didn't see that as a requirement in NextDNS's instructions.

      Having said that, I have found that setting Safari's "Hide IP Address" settings to "from Trackers only" (instead of "from Trackers and Websites") did get NextDNS working. The only downside is that when I visit websites in Safari, my IP address won't be hidden, which is unfortunate. I believe it will be hidden by going through NextDNS on any other browser, however. I'm still learning this space, so I may be incorrect.

      I'm starting to wonder if perhaps it might be better to simply disable Private Relay and use a VPN service I trust, either with NextDNS as my DNS resolver if the VPN allows it, or simply also rely on the VPN service's DNS provider. Thank you again!

      • Oli.1
      • 7 mths ago
      • Reported - view

       I've removed the DNS IP addresses and things are still working fine, so it looks like you were right: they are not required if the Profile is active. Regarding Safari's "Hide IP Address", mine is set with "from Trackers and Websites" and NextDNS is still working fine!

      • anon.3
      • 7 mths ago
      • Reported - view

       Thank you for the reply. Your reference reminded me that I had previously encountered the issue before, and I had turned off Adguard filtering in order to use iCloud Private Relay. I must have re-enabled the filtering after updating Adguard.

      Disabling Adguard filtering, other Adguard features such as DPI-evasion are not impacted by the way, and using the NextDNS Apple profile (already done) allowed me to:

      1. Enjoy iCloud Private Relay with its Cloudflare DNS on Safari (macOS)
      2. Enjoy NextDNS on any other browser (macOS)

    • Will_Tisdale
    • 7 mths ago
    • Reported - view

    They do work together without any issue, and it's simpler than you might think to get the dashboard to say you are using NextDNS.  You need the NextDNS profile installed and active on the current network and when you load the NextDNS dashboard you have to let it see your IP address by hitting "reload and show IP address" in the Safari address bar (macOS) or page settings (iOS).

      • Steve.15
      • 7 mths ago
      • Reported - view

        This is great and thank you for your guidance. This gives me a sense of confidence that both Private Relay and NextDNS are, in fact, working concurrently. Does this mean, in effect, that for queries I make in Safari, only the first Apple server will see my IP address and that for queries I make in other browsers, NextDNS will see my IP address, but not my ISP or websites visited? Thanks again!!! I'm learning.

      • Will_Tisdale
      • 7 mths ago
      • Reported - view

       NextDNS will see exactly the same data in all scenarios if you have a NextDNS profile active. They will see the source IP address from the secure DNS query as that does not go through private relay. You can see that from the logs.

      The difference is that with iCloud private relay active, your ISP will not be able to see websites visited, but only if you use Safari. If you use any other browsers iCloud private relay provides no protection against ISP snooping and it's the same as using Safari with it turned off.

      Does that make sense?

      • Steve.15
      • 7 mths ago
      • Reported - view

       It almost completely makes sense. I thought that if I’m running NextDNS via DOH (or over TLS), that both the DNS query AND the destination website were encrypted, not just the query itself. I think I have a handle on most things though. 

      I’m now leveraging both Private Relay and NextDNS, which is great. I suppose if I want to obfuscate my IP address then that will require a VPN. I’m not as concerned about that for the most part given that the websites I use are https. But I do understand that that’s still a weak point in my privacy workflow. I’m giving thought as to whether to go back to using a VPN on a regular basis (e.g., when not on a public network) but thus far, I’ve opted not to do so. Thank you again for your insights. 

    • starfruitman
    • 6 mths ago
    • Reported - view

    So they can work together, but you have to change every device, correct? Previously, I used NextDNS to block stuff on my entire network by adding it to my router.

    Now, it does work, but I have to manage every device to make it work, correct?  There's no way to blanket block stuff from the router if a new device joins my network while using Private Relay?

      • Will_Tisdale
      • 6 mths ago
      • Reported - view

       No, if the devices have private relay enabled your router DNS will not be used for Mail or Safari on those devices unless you have a profile installed. 

    • starfruitman
    • 6 mths ago
    • Reported - view

    Thanks, @will_tisdale. That's what I thought. I understand the technology, but this is a bummer. I used to use NextDNS to block stuff on my network so my kids and their friends couldn't access it here.  

    Apple's Private Relay now messes it all up and makes NextDNS another subscription that I won't be paying for.

Content aside

  • 2 Likes
  • 6 mths agoLast active
  • 12Replies
  • 2138Views
  • 6 Following