I am following https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-iCloud-Private-Relay-from-byp... to block iCloud private relay from bypassing the security inspection. My question come into the DNS filter portion of the guide. Since I do not user the DNS filter option in my FortiGates, I just create DNS policies on my internal Windows DNS servers to DENY (provides a response and not a drop) those domains. This brings up the bigger question for me of, Apple's own admission is that the only two domains needing to be set with "no error no answer" or at least some response...just not dropped, is mask.icloud.com and mask-h2.icloud.com. The linked guide however, adds several other domains to this beyond what Apple states, so just wondering about the discrepancy between Apple and Fortinet?