Encrypted DNS with Private Relay

I’d like to encrypt my DNS traffic and had been using OpenDNS’ DNSCrypt to do this.

As I understand, turning on Private Relay routes all TCP/IP packets—even those for DNS—through Apple’s service based on what I see on the DNS settings for macOS ( → System Preferences → Network → (choose network interface) → Advanced … → DNS):

My questions:

  1. Does anyone know what DNS service(s) Private Relay uses?
  2. Is there any way to encrypt DNS traffic while using Private Relay?

Thank you for reading.

Apple hasn’t officially defined what they use.

This is what Apple has about iCloud Private Relay: About iCloud Private Relay - Apple Support

Normally when you browse the web, information contained in your web traffic, such as your DNS records and IP address, can be seen by your network provider and the websites you visit. This information could be used to determine your identity and build a profile of your location and browsing history over time. iCloud Private Relay is designed to protect your privacy by ensuring that when you browse the web in Safari, no single party—not even Apple—can see both who you are and what sites you’re visiting.

When Private Relay is enabled, your requests are sent through two separate, secure internet relays. Your IP address is visible to your network provider and to the first relay, which is operated by Apple. Your DNS records are encrypted, so neither party can see the address of the website you’re trying to visit. The second relay, which is operated by a third-party content provider, generates a temporary IP address, decrypts the name of the website you requested and connects you to the site. All of this is done using the latest internet standards to maintain a high-performance browsing experience while protecting your privacy.

So, yes, DNS lookups are encrypted between you and Apple, which anonymizes your IP before doing the lookup on your behalf.

The one caveat I’d point out in that support article are the words in Safari. It seems to me that iCloud Private Relay is not used by third-party apps doing lookups on your Mac.

1 Like

Well shame on me; I missed the portion of this page that discusses DNS. :pleading_face:

Thank you for pointing out the Safari caveat.

This is curious (to me) since there is no such caveat in the image of the dialog box that I posted above:

DNS requests are being routed by iCloud Private Relay for this network

Frankly, I find it very odd that Private Relay pertains to only Safari when this statement appears in the Network configuration portion of System Preferences. If it’s specific to Safari, then why isn’t Private Relay turned on/off within Safari preferences instead of in the Apple ID portion of System Preferences?

Granted, Safari is clearly called out in  → System Preferences → Apple ID → iCloud → Private Relay → Options:

Nevertheless, it strikes me as overly complex to have application-specific network configurations.

Are you aware of anyone having done packet sniffing (or used some other technique) to confirm that applications other than Safari never use Private Relay’s DNS Services when Private Relay is turned on? For example, is Apple’s own Mail.app excluded from Private Relay? When using Private Relay is there really no IP address and geolocation privacy for communicating with Apple’s servers when syncing with Photos, Contacts, Calendars, Reminders, etc.? Don’t Apple applications other than Safari use DNS to find servers?

I can not understand the thinking behind limiting Private Relay to a single application, and not even all of Apple’s applications at that. :thinking:

I really don’t know. I don’t use the feature myself. I’d do some searching for articles from trusted sources and see what they say. Tidbits has a mention of the feature and brief discussion, but not really an in-depth look like that. But one way to think of it is as a proxy server for web traffic, not really as a VPN.

Thank you for the link; this TidBITS article links to an Digging into Apple’s iCloud Private Relay on MacObserver, which includes:

What Traffic is Included in iCloud Private Relay?
An iCloud+ user running iOS 15, iPadOS15, or macOS Monterey with Private Relay enabled will have the following traffic routed through Private Relay:

  • All Safari browsing
  • All DNS queries
  • Most App Traffic to insecure websites (aka TCP Port 80, or “http:” traffic).

What’s not included in Private Relay?
Private Relay is bypassed for everything not listed above, including:

  • Local Traffic
  • Private Domains
  • VPNs, Proxies, and other Network Extensions
  • Secure, “https:” traffic from your apps.

Who Controls These Egress Servers (aka Exit Nodes)?
Apple hasn’t said who the “content partners” are who run their Egress Servers, but CloudFlare is the only one which has shown up in my tests. I’m testing from one location in New Hampshire, USA, though, so my mileage might be very different from yours. If you see another content partner, let us know in the comments below.

Apparently all DNS queries are covered, regardless of the application making them, which was my original question. Moreover, since “Traffic to insecure websites (aka TCP Port 80, or “http:” traffic)” goes through Private Relay, apparently my browsing on Chrome is also shielded.

That said, surprisingly (to me) there is no privacy protection on secure (HTTPS://) websites viewed through a browser other than Safari.

Also surprising, “Private Relay uses QUIC (HTTP/3) connections, which happen over UDP port 443, which are engineered to be quite speedy.” My understanding is that with UDP packets can be doubled, missed or sent in the wrong order; so conceivably the web page that you view is NOT the web page that was sent. I presume that somehow Datagram Transport Layer Security (DTLS) is involved.

Perhaps @rmogull or @glennf have something additional to add.

The QUIC protocol handles dropped and duplicated UDP packets at a higher protocol level than TCP; the integrity of the sent and received data is preserved.