iCloud Private Relay question?

Forum|Forum|3 years ago
November 9, 2022
1 reply
10007 views

I am following https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-iCloud-Private-Relay-from-bypassing/ta-p/228629 to block iCloud private relay from bypassing the security inspection. My question come into the DNS filter portion of the guide. Since I do not user the DNS filter option in my FortiGates, I just create DNS policies on my internal Windows DNS servers to DENY (provides a response and not a drop) those domains. This brings up the bigger question for me of, Apple's own admission is that the only two domains needing to be set with "no error no answer" or at least some response...just not dropped, is mask.icloud.com and mask-h2.icloud.com. The linked guide however, adds several other domains to this beyond what Apple states, so just wondering about the discrepancy between Apple and Fortinet?

FortiGate

Best answer by gfleming

i would say Fortinet's documentation is more detailed and exhaustive as it covers off all possible ways to block the traffic. If someone can bypass the DNS server then the web filter will block.

gfleming

Staff

I would think Fortinet's documentation to block is is the one to follow. Apple's documentation may be talking about bare minimum for functionality. Can you post the Apple documentation you are referencing?

CajuntankAuthor

Contributor III

Sure, it's this link that was referenced (at the bottom) in the tech tip link I referred to in my question.

https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay

gflemingAnswer

Staff

i would say Fortinet's documentation is more detailed and exhaustive as it covers off all possible ways to block the traffic. If someone can bypass the DNS server then the web filter will block.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded