iCloud Private Relay blocking doesn’t work with AdGuard DNS

[ghost]

Platform

iOS

Protocol

DNS-over-HTTPS

Do you use AdGuard app?

No I don't

Your configuration

AdGaurd DNS is being used in iOS with a configuration profile, using the AdGuard DNS filter.

Traceroute to AdGuard DNS

No response

Issue Details

When using AdGuard DNS and enabling the block iCloud+ Private Relay function, it doesn’t get blocked.

When using the same feature with ControlD, I instantly get a message saying that iCloud+ Private Relay is unavailable.

Expected Behavior

When enabling iCloud Private Relay blocking, I would expect a message saying that iCloud Private Relay is unavailable.

Actual Behavior

iCloud Private Relay isn’t blocked at all.

Screenshots

Screenshot 1:

Additional Information

No response

[Batman2814]

https://github.com/AdguardTeam/AdGuardDNS/issues/451

I opened this same issue about a year ago, and you guys said it wasn't a bug. Now you are saying it is a bug. This bug should have been fixed when it was first reported a year ago.

[ghost]

It seems that it can definitely be blocked via DNS, proven with Control D, it's just that whichever way it's being implemented by AdGuard is not effective.

[donald2612]

It can easily blocked by putting these rules into the user-defined rules section of the server:

||mask-h2.icloud.com^$dnsrewrite=NXDOMAIN;; ||mask.icloud.com^$dnsrewrite=NXDOMAIN;;

It is not really a bug, but depends what block-mode you are using. The standard block-mode uses a null-ip instead of NXDOMAIN. I've read in the Adguardhome-github that this fixes it.

But if you put the function into their GUI, the AdGuard-Team should take note of the correct block-mode for each service.

[ghost]

Turns out that does the trick.

I'm not sure why that's the case though.