ublock origin doesnt work with safari, snd safari is required for private relat.
Ah, but you need the NextDNS app to run on the computer for this to work with Private Relay. I have set up NextDNS on my router, that’s why I couldn’t see any filtering in the logs when Private Relay was active.
Do you have the app running or did you get it to work running from the router?
Another question, does forcing NextDNS to work with Private Relay make me any less anonymous?
That makes sense. Many thanks!
I only know that running the app or the profile on your Mac or iOS device works. I never tried the router installation, sorry.
If you use NextDNS and Private Relay, your DNS will be duplicated, so pages like browserleaks will see both resolvers instead of just the Private Relay networks (from Akamai, Fastly, and Cloudflare). It just shows that you also use NextDNS, but since websites don’t have access to NextDNS account data, it’s not less anonymous. Your real IP and ISP DNS are still not visible to websites.
You could argue that running both will put your website activity in 1 more place because NextDNS will know the sites visited. If only Private Relay was used, this wouldn’t be the case, so in general, you have to trust NextDNS with the data.
But am I still anonymous in regard to my ISP, or can my ISP see me contacting NextDNS first and the DNS I’m trying resolve before relaying all of my traffic to Private relay?
But am I still anonymous in regard to my ISP
The ISP will always be the starting point, but it can’t see the contents of the encrypted DNS queries to NextDNS (if you use DoH or DoT). Normally, after that, the ISP would be able to see the IP addresses of the sites visited (just not the domain names because they go through NextDNS).
With NextDNS and Private Relay, it is my understanding that NextDNS will be used just like in the above scenario, but after that, Private Relay will take over, which hinders your ISP from seeing the IP addresses of the visited pages.
From Apple’s documentation (PDF):
If a user has configured custom-encrypted DNS settings using a profile or an app, the DNS server specified will be used instead of ODoH. Safari connections and all unencrypted HTTP connections will also resolve names using the specified DNS server prior to routing through Private Relay.
“… prior to routing through Private Relay” suggests to me that at no point your ISP is involved.
That’s excellent! thank you. I assume DoH is setup by default in nextdns or is that an extra setting?
If you use the app for iOS and macOS or the Apple profile, DoH is used by default, yes.
Also worth noting from Apple’s documentation…
An unencrypted DNS server provided by a local network or manually edited in Settings (iOS) or System Preferences (macOS) will not be used for iCloud Private Relay traffic.
So using NextDNS via DoH or DoT (the encrypted ones) is important.
I use the app on my mac and ios, but for all my other devices I have it installed on the router. How do I check if DoH is enabled for those devices?
Edit:
According to NextDNS’ github, the router cli is DNS53 to DoH.
NextDNS CLI is a DNS53 to DNS-over-HTTPS (DoH) proxy with advanced capabilities to get the most out of the NextDNS service. Although the most advanced features will only work with NextDNS, this program can work as a client for any DoH provider or a mix of NextDNS + another DNS (split horizon).
On a device without the app installed, go to https://test.nextdns.io and see if it says “protocol”: “DOH”.
Test this without Private Relay enabled.
I’m not sure if the router installation works the same as if the profile or app was used locally on the device. You might want to check your NextDNS logs while browsing from such a device in question. On those devices that don’t use the NextDNS app/profile locally and have Private Relay enabled, you would also have to check if https://browserleaks.com/ip shows both DNS services. If it only shows the Private Relay partners (Cloudflare, Akamai, …) and not also NextDNS servers (Anexia, …), the router method doesn’t work.
Hmm both with and without (nextdns only on router) the app and private relay on, test.nextdns.io says status: unconfigured. but with private relay off the test page is filled with lots of information of things including profile: DoH. strange, because it filters nonetheless (with nextdns app on or off and private relay on or off) because nextdns log filters ecery new domain i test and says DNS-over-HTTPS.
I dont get this. it’s a solid mess. nextdns own test page says its not working, but it is still filtering and DoH-ing. is it working or is it not?? 
When Private Relay is enabled, the NextDNS test page can’t show you the correct status because Private Relay is behind it in the chain. This is normal for now.
The point of the test page was to check your configuration (without Private Relay), to see if you get DoH in the first place (instead of something like UDP) because you asked (in this comment) how you could examine that for the devices that don’t use the app or profile.
So if the test page says DoH (without Private Relay), your configuration is correct. But again, the test page and also the green/red status icon in the NextDNS account page won’t work with Private Relay on because it can’t “see”. But NextDNS is still working, just those status/test indicators aren’t.
This is something NextDNS isn’t happy about with the current solution. They rightly mentioned that it is confusing to users, but they also confirmed that filtering itself still works, as you also found out by looking at your logs. If your logs are filling up, it’s working.
You seem very knowledgable. Are you working for NextDNS or Apple? 
Another question since you seem to know your stuff. Where in this whole chain is NextDNS? My guess is one of these two happens:
- Mac asks for youtube.com
- NextDNS app on mac encrypts the query and sends the DNS query to nextdns.io server
- NextDNS.io resolves the URL and gives me back the IP-address of youtube.com
- My Mac’s IP-address then gets encrypted by Private Relay ingress node
- PR ingress node strips my macs IP-address and sends the resolved youtube-IP-Address to Private relay egress node (Cloudflare)
- Cloudflare decrypts the query and sees the youtube-IP-address pointlessly since it’s already resolved by NextDNS
- Cloudflare sends the already resolved IP-address of youtube.com in return to PR ingress node.
- Ingress node encrypts it and sends it to my mac
OR
- Mac asks for youtube.com
- NextDNS app on mac encrypts the query and sends the URL to nextdns.io server
- NextDNS.io realises that my mac has Private Relay, and decides it shouldn’t resolve the domain name, but filters out the third-party tracker domains, ads etc etc, and sends the unresolved URL in return to my mac
- My Mac’s IP-address then gets encrypted by Private Relay ingress node
- PR ingress node strips my macs IP-address and sends the youtube-DNS query to Private relay egress node (Cloudflare)
- Cloudflare decrypts the query and finds the IP-address of youtube.com
- Cloudflare sends the resolved IP-address of youtube.com in return to PR ingress node.
- Ingress node encrypts it and sends it to my mac
is this the cascade?
No, I’ve just been using NextDNS with Private Relay since the iOS 15 betas and have read everything NextDNS said about it so far.
It’s unclear how exactly the chain works, NextDNS or Apple would have to confirm this, but from reading the documentation it seems like version 1 is mostly what’s happening. Version 2 seems implausible since you can see your resolved domains in the NextDNS logs.
Given that it’s currently still in beta, I’m also interested in getting more details soon. Since NextDNS isn’t talkative as far as support goes, I hope that the AdGuard team that is working on a NextDNS competitor will answer some of the remaining questions or write a blog post about custom DNS used together with Private Relay.
Yeah what happened to NextDNS? Olivier at least used to be very active with the community, they even had a blog and highlighted updates and changelogs. it’s all been shut down for some reason.
Yeah, they post 1-2 comments on their support page every week and that’s it. A bit disappointing for a paid service.
How many are they, anyways? Is it just Olivier and that other guy doing everything themselves?