Enabling Privte Relay bypasses Quad9 / NextDNS and router specific security features such as AiProtect on Asus routers.
Quad9 and NextDNS uses threat intelligence feeds to protect against malware. When you enable Private Relay all those protections gets effectively disabled. I tested this by using two differenct test-malware sites (I will not link to them, for obvious security reasons). With Private Relay off and Quad9 on, the websites would not load in Safari. With Private Relay on, not only did the websites load but one offered to download an .exe file.
This is surprising and quite alarming! Private relay keeps you anonymous, but not safe from malware. Apple needs to add threat intelligence feeds to their service.
Private relay encrypts the communication early on so all the stuff you are asking for is not possible. And it’s actually the entire point. Using something like private relay or a private vpn but then relying on your own dns is a bad idea from a privacy standpoint. This is not getting changed.
Or you could just use the two together, like I and other people have for months now, by disabling the blockpage setting in your NextDNS settings (a cosmetic landing page that is unnecessary). NextDNS have posted a comment a few months ago explaining that the filtering will still work like this, just the status icon on their website will not be shown as green because the Apple Relay partner DNS is the last step.
Yes I understand that, I don’t need NextDNS to work with Private Relay. My arguement is that Private Relay keeps you unsafe against online threats. Apple has to add some sort of threat intelligence feed(s) to block malware when using Privat Relay, otherwise you’re sacrificing securiry for privacy, when you could and should have both.
How does it still filter if Private Relay encrypts the query effectively bypassing nextdns, and then delivering it to their second relay? where exactly in the chain of events is nextdns involved?
For privacy? Private relay is much more effective than any custom dns solution. But they are very different in what they do. Private relay is more like a vpn (even though they work a little bit differently, but the endgame is similar). All something like nextdns does is change how you lookup dns addresses. Private relay and vpns actually encrypt all your data even from your internet provider. Dns solutions cant do that. Some cons will allow you to to use things similar to next dns though where you can use blocklists etc.
They only mentioned that the solution Apple came up with (NextDNS worked together with Apple on this) will duplicate DNS, so it probably filters first and then forwards to the relay. That’s why you will see both your NextDNS server and Apple’s partner networks on sites like https://browserleaks.com/ip. NextDNS mentioned the solution wasn’t ideal (because some features don’t work, like the block page, DNS rewrites and the green status icon) and that they also proposed another one, but it’s up to Apple to change. Overall, I have not seen any issues in the last months when using them together.
DNS-over-HTTPS (or TLS) also provide privacy and security for your DNS lookups. Apple should not be forcing one DNS solution. Private Relay should be a separate concern from DNS (just tunneling packets), and let custom DNS or DNS-over-HTTPS run on top of it like any other IP packet.
Would you happen to know if that duplicated DNS query would then negate the iCloud Private Relay benefit of shielding which websites the user visits from their ISP? If the DNS query is sent through private relay and the user’s normal DNS resolver, it sounds like the ISP would still see the request that is made through the user’s normal DNS resolver (in this case, NextDNS).
And you can also look at your logs and analytics. Make a live test and your logs will show up with the pages you visit. Blocked pages can’t be opened, just like before.
Please see my comment above. I don’t think your real ISP is involved at any point. They only see encrypted traffic to NextDNS and after that Private Relay does the rest.
I said that DNS-over-HTTPS should run over the Private Relay just like any other IP packet. No separation.
And even it it *didn’t* run through the relay, there would not be much to fingerprint still. You would simply have a connection for encrypted DNS (to a safe, non-logging service like Quad9), and one to Apple. There’s not too much to be gleaned from watching network traffic to just two places, both of which have encrypted traffic.