iCloud Private Relay ODoH + ISP DNS vs Cloudflare DNS

jfw · November 17, 2023, 7:10pm

When using iCloud Private Relay on a Mac or iOS, is using a profile (like paulmillr’s (https://github.com/paulmillr/encrypted-dns) or aheckler’s (https://github.com/aheckler/doh-profiles-for-apple-devices) the best way to avoid using my ISP’s DNS server?

Cloudflare recommends a manual network setup change (https://developers.cloudflare.com/1.1.1.1/setup/macos/), but that seems less preferable than a profile since it is has to be done for each network connection.

I’m also wondering, since iCloud Private Relay uses ODoH and Cloudflare would not, what is more private and/or preferable?

ODoH connection via iCloud Private Relay to my ISP’s DNS
non-ODoH connection via custom profile to Cloudflare’s DNS

Thanks.

————
Related info:

Cloudflare’s iCloud Private Relay: information for Cloudflare customers (https://blog.cloudflare.com/icloud-private-relay/) does not discuss DNS configuration.

Apple’s iCloud Private Relay Overview Dec2021.PDF (https://www.apple.com/privacy/docs/iCloud_Private_Relay_Overview_Dec2021.PDF):

If a user has configured custom-encrypted DNS settings using a profile or an app, the DNS server specified will be used instead of ODoH. Safari connections and all unencrypted HTTP connections will also resolve names using the specified DNS server prior to routing through Private Relay.

An unencrypted DNS server provided by a local network or manually edited in Settings (iOS) or System Preferences (macOS) will not be used for iCloud Private Relay traffic.

i40west · November 17, 2023, 9:00pm

iCloud Private Relay doesn’t use your ISP’s DNS servers. However, whatever DNS servers are configured in your network setup (which may be your ISP’s) can be used for non-Private-Relay traffic or fallback for possibly-local names.

You can manually change the DNS settings in the network config to use 1.1.1.1 or whatever you prefer. However, if you want encrypted DNS, then yes, installing a profile is necessary, because DoH or DoT can’t be enabled manually without a profile. Unfortunately I don’t think Cloudflare has a signed profile, but there are profiles available here. With the profile installed you’ll still use Private Relay but there won’t be a fallback to your ISP’s servers.

jfw · November 19, 2023, 4:13pm

So in most cases, iCloud Private Relay will ignore what is configured locally (manually or via profile), and it will only hit that if a lookup fails or Private Relay loses its connection (which it does from time to time).

I set up 1.1.1.1 as my fallback so my ISP’s DNS will never be used, using the unsigned profile you linked to (I read the profile settings and see no concerns).

Thanks @i40west

system · November 22, 2023, 4:14pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.