I have noticed over the past few months that all iOS devices (variety of up-to-date iPhones and iPads) using Safari have been “intermittently” bypassing various DNS-level protections.
By “intermittently”, I mean it could be blocked, you hit refresh 1 second later, the protection is gone. And it goes back and forth randomly.
tried manually adding OpenDNS Family Shield directly on Client devices
I test all of these same protections on a Windows laptop and it never is able to bypass protections by simple refresh and such. 100% reliable protection on Windows devices.
It’s just the iOS devices only.
So when using any up-to-date iOS device using Safari, any and all of these DNS-level protections are intermittently bypassed from one second to the next.
At first glance, it may appear that protections are working. But a simple refresh later it could be gone. Another refresh and the protections could be back.
Does anyone else have similar experience with this in recent iOS versions?
Does anyone have any suggestions to stop iOS devices from doing this sneaky stuff?
Thanks for the suggestion. I just checked and it looks like it is already blocked by @dibdot ’s DoH domain and IP lists (https://github.com/dibdot/DoH-IP-blocklists) and therefore not resolving on my machines which is good. I think his list covers 5 or 6 of those Apple/iCloud DoH and Private Relay domains.
It seems like Apple has done something in recent iOS updates to get around these blockages, although not with 100% success on their part. It’s probably like 50% success.
That is right. Although Apple also stated that it’s only for paying iCloud+ subscribers or something along those lines.
But in reality, Apple was secretly pushing user devices to those related domains even when they were not paid subscribers. They were doing it regardless.
Also, another weird thing about that iCloud Private Relay VPN thing is that it does not even show up in iOS settings for VPN and device management. They seem to hide it and bake it into Safari directly.
According to some random info on teh interweb about the iCloud Private Relay, mask-h2.icloud.com and mask.icloud.com are the ones involved, but they're both in dibdot's list.
Yeah, his list is quite comprehensive. I assume that Apple must be hardcoding this in a different way but I have no idea how to determine what cannot be seen.
There's a setting in iOS allowing your apple devices to use the cellular data while on WiFi. If it's turned on, that could be the reason for intermittent resolution of some domains blocked on your WiFi.
That’s a good suggestion because that would be a possibility, but these iOS devices don’t have cellular. Well, one of the iPhones does. The rest of the iPhones don’t have a SIM card and are in airplane mode.
Thank you for your reply. I am always thankful and appreciative for everyone here in the community who share their time and knowledge.