Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Cajuntank
Contributor II

iCloud Private Relay question?

I am following https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-iCloud-Private-Relay-from-byp... to block iCloud private relay from bypassing the security inspection. My question come into the DNS filter portion of the guide. Since I do not user the DNS filter option in my FortiGates, I just create DNS policies on my internal Windows DNS servers to DENY (provides a response and not a drop) those domains. This brings up the bigger question for me of, Apple's own admission is that the only two domains needing to be set with "no error no answer" or at least some response...just not dropped, is mask.icloud.com and mask-h2.icloud.com. The linked guide however, adds several other domains to this beyond what Apple states, so just wondering about the discrepancy between Apple and Fortinet?

1 Solution
gfleming

i would say Fortinet's documentation is more detailed and exhaustive as it covers off all possible ways to block the traffic. If someone can bypass the DNS server then the web filter will block.

Cheers,
Graham

View solution in original post

3 REPLIES 3
gfleming
Staff
Staff

I would think Fortinet's documentation to block is is the one to follow. Apple's documentation may be talking about bare minimum for functionality. Can you post the Apple documentation you are referencing?

Cheers,
Graham
Cajuntank

Sure, it's this link that was referenced (at the bottom) in the tech tip link I referred to in my question.

https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay

 

gfleming

i would say Fortinet's documentation is more detailed and exhaustive as it covers off all possible ways to block the traffic. If someone can bypass the DNS server then the web filter will block.

Cheers,
Graham
Labels
Top Kudoed Authors