Any updates from NextDNS developers on NextDNS and iCloud Private Relay? According to NextDNS forums they were working with Apple during the beta period on solution, but what is the status now, 4 months later? for me NextDNS shows Cloudflare or Akamai when Private Relay is enabled.
Private Relay is essentially a VPN. VPN’s use their own DNS. Apple has to allow their ‘VPN’ to use third-party DNS. I don’t think that is going to happen, as Apple is much too paranoid.
This is really up to Apple more than NextDNS. Cloudflare and Akamai are some of the largest in the world, NextDNS is not even close to that. So sometimes between now and never I would predict.
It has been working fine for months and is now also confirmed to be working together in Apple‘s product overview.
From Apple’s documentation PDF:
Custom DNS settings … If a user has configured custom-encrypted DNS settings using a profile or an app, the DNS server specified will be used instead of ODoH. Safari connections and all unencrypted HTTP connections will also resolve names using the specified DNS server prior to routing through Private Relay.
Apple actually said in a video and mentioned Nextdns that theyre working on it.
I get what you’re saying. Based on you comment link below, and what OP is referring to, the issue is that Apple is only using NextDNS to see if a domain is blocked and then it does the resolution using iPR (dual lookups), effectively bypassing NextDNS.
The NextDNS team said Apple could not implement proper implementation in time for this to work right. So the problem is still with Apple.
It’s up to Apple, not NextDNS. Apple’s service is a full-blown VPN that overrides DNS settings. Apple has to configure their VPN service to allow 3rd party DNS services to work with it, but do so in a trusted manner so malicious services can’t override it.
You can test this yourself by installing any VPN service and checking your DNS resolver. Then change it to be NextDNS in the VPN app and voila, now it’s NextDNS.
The reason it shows Akamai or Cloudflare is because Apple is using their networks for the IPR (iCloud Private Relay) service.
For now, you can’t have both. It’s NextDNS or IPR.
According to Apple, NextDNS is not bypassed but used instead of ODoH (“the DNS server specified will be used instead of ODoH […] prior to routing through Private Relay”).
It’s not an ideal solution for NextDNS because there is some duplication and missing features, but I haven’t seen any issues since testing the betas and my pings are great (<19 ms).
I’m also awaiting an ideal solution, but in the meantime, I just wanted to mention that it already works with some limitations, them mostly being the status icon not working on NextDNS and confusing users.
For now, you can’t have both. It’s NextDNS or IPR.
That’s incorrect. They are used together in a cascade.
From Apple’s documentation PDF:
Custom DNS settings … If a user has configured custom-encrypted DNS settings using a profile or an app, the DNS server specified will be used instead of ODoH. Safari connections and all unencrypted HTTP connections will also resolve names using the specified DNS server prior to routing through Private Relay.
Ah, so the blocking still happens despite the (supposedly) dual lookups?
That seems to defeat the privacy aspect of iPR, but at least the blocking would work.
Anyway, I don’t use iPR as the privacy implication is a false hope even if it did work properly.
He’s referring to the beta of IPR, not NextDNS, I’d assume.
You can test this pretty easily. Download the Apple Profile Generator and configure a set of any DoH servers you want. Install the profile, choose that profile, and watch IPR override it every time. NextDNS offers a profile that doesn’t use their app at all. Same behavior.
All the profile does is instruct iOS to use a set of DoH servers. It’s up to iOS to honor it and with IPR enabled, it simply doesn’t.
That’s incorrect. They are used together in a cascade.
It’s not incorrect, it’s the reality. Perhaps it’s supposed to work, but it doesn’t.
Yes, blocking works, just the status indicators and some other features like DNS rewrites don’t.
From everything I read, it doesn’t lower anonymity with the Private Relay service itself. Neither Apple nor the CDN partner knows who you are or where you are going at the same time. Apple still uses the ingress proxy because they need to geohash the IP for the egress proxy, this aspect isn’t defeated, but putting everything through NextDNS prior to that is of course not private, maybe that’s what you meant?
What is your concern with PR? From what I’ve read (mostly hackernews and some security people on twitter), it comes close to Tor and is much better than any VPN due to its technical architecture.
That’s incorrect. As mentioned in OP‘s link to the comment from NextDNS, they do work together, just some features aren’t yet supported (like the status icon, etc.). Also, in Apple‘s documentation PDF, there is a section on encrypted custom DNS and how it works together with Private Relay.
Many people have been using them together for months as well. You just need to disable the landing page in NextDNS for blocked domains.
Sorry it’s not working for you, but it sure is for me (and dozens of other users, who confirmed it on the NextDNS community pages). I have been using them together for months without issues.
Please know that I’m trying to be helpful and that’s why I post the following, not just to contradict you. Maybe this will change your situation of the two not working together…
As mentioned here by NextDNS staff (4 months ago), NextDNS and Private Relay work together with some limitations. NextDNS “worked with Apple on this and agreed on a better solution, but they could not implement it on time for the release.”
So what are the limitations? Quoted from NextDNS:
- Our status page won’t work properly
- Blocking won’t work at all if the blockpage feature is enabled
- Rewrites won’t work and thus safe search and youtube restricted mode won’t be enforced by extension
- DNS leak tests will show another resolver than NextDNS
Unless you are a heavy user of custom DNS rewrites, all you need to do is to disable the landing block page feature, which can be found in your settings tab and has the following function:
Display a block page when a domain is being blocked. This may slightly increase page load time and an HTTPS warning may appear in some cases. When disabled, blocked queries will be answered with the unspecified address (0.0.0.0 or ::).
It’s important to note that this is only a cosmetic landing page that is not needed for blocking itself (and also makes everything a bit slower if enabled).
When this feature is disabled, NextDNS does block ads and trackers and everything you have set up in your security and privacy tabs. Some features in the parental control won’t work because they depend on DNS rewrites. The NextDNS status icon on your setup tab and some of their test sites also won’t work (it will show the Private Relay DNS).
This is confusing to users and that’s why NextDNS doesn’t recommend using the two together until Apple implements the “better solution”.
However, a lot of people use NextDNS for ad/tracker-blocking and not DNS rewrites or the landing page feature.
Knowing these limitations, here are several ways you can confirm that the two are working together:
- Use DNS testing pages like the ones from Perfect Privacy, ipx, or browserleaks to see that you are using the NextDNS servers. Some of them will show both NextDNS and the used Private Relay CDN partner DNS (Cloudflare, Akamai, or Fastly).
- Look at your NextDNS logs and browse some pages in Safari. You will see that your blocklists are still blocking and also that there are entries to Apple’s Private Relay domains (like mask.apple-dns.net), as seen in this screenshot. This is the duplication of DNS entries NextDNS referred to and what Apple’s documentation referenced as using the custom DNS “prior to routing through Private Relay”.
- Try to open any page that you know your setup blocks.
This is confirmed to be working when encrypted DNS is used, like with the NextDNS app or profile (DoH). Unencrypted DNS will be overruled by Private Relay:
If a user has configured custom-encrypted DNS settings using a profile or an app, the DNS server specified will be used instead of ODoH. Safari connections and all unencrypted HTTP connections will also resolve names using the specified DNS server prior to routing through Private Relay.
An unencrypted DNS server provided by a local network or manually edited in Settings (iOS) or System Preferences (macOS) will not be used for iCloud Private Relay traffic.
I’m not saying that PR is bad for privacy, but there are many forms of tracking that do not care if you are on a VPN.
Sure it’s a useful tool, but I would rather focus on content blocking and cookie/storage control than worry about my endpoint.
There is one exception that I might try and see if it works: I use a shadowsocks server occasionally to bypass throttling attempts from my ISP. The ISP will throttle Reddit sometimes, all the while YouTube is lightning fast. When I turn on the shadow, it instantly and enormously speeds up.
Typical VPNs don’t help, so far only shadowsocks works. If PR fights that though, then it would be worth it.
So what are the limitations? Quoted from NextDNS:
Our status page won’t work properly
Ah ha. That is the primary method by which I’ve concluded “it doesn’t work.” I probably should have extended it to a blocking test or some such. Thanks for taking the time to clarify, have some gold for making the effort, my friend!
Thank you for reading and I hope this will work for you too soon 