"Advanced Tracking and Fingerprinting Protection" leaks DNS queries to Apple DNS server

The “Advanced Tracking and Fingerprinting Protection” introduced in Safari in iOS 17 leaks DNS queries to Apple DNS server. Users who rely on custom DNS to block malware domains will be unprotected. The same applies when you use a family DNS server that blocks adults websites such as Adult websites will open when “Advanced Tracking and Fingerprinting Protection” is active. Any fixes?

Disable “Advanced Tracking and Fingerprinting Protection”.


A teen will reenable that within seconds.

What’s your point? A teen could just as easily enable DoH in their browser or specify their own DNS server or do any one of 10,000 things to bypass a configured DNS server if they have administrative control of the machine they are utilizing.

There’s nothing special about this ‘feature’.

My point is self evident. Yes, some teens could do some of those things you mention. But I suspect that the folks at Cloudflare knew that and released Family knowing it would provide some barrier to entry. Yes, filtering is a game of “whack a mole.” It’s that iOS 17 makes it a heck of a lot unacceptably easier.

You’re trying to use two competing products at the same time. Apple’s trying to prevent your DNS requests from going to a service that tracks you, and so is Cloudflare.

Apple’s also provides fingerprint protection. Cloudflare’s also provides filtering. You’re just going to have to choose which is more important to you.

1 Like

Om my device Apple’s Advanced Tracking and Fingerprinting Protection respects a custom DNS server using native DoH, same as iCloud Private Relay does. Mind you, it still leaks DNS, but if I block a domain on my custom DNS server, I can’t visit that domain with Safari. For iCloud Private Relay that’s also the documented behavior, but only when native DoH is used. I can’t share a link here to that documentation.