Basically the way I see it iCloud private relay helps you in terms of safari browsing and keeping your ip hidden and I suppose encrypting unencrypted traffic is a plus.
However iCloud relay also routes your dns queries which yeah is good if you want to see the app transparency report, but doesn’t really help block anything.
From what I know Nextdns is a great service that helps block unwanted connections or trackers, but then you loose the safari advantage.
So I guess the question is, which is the best option for privacy and security?
(Also the nextdns app hasn’t been updated for about 3years on iOS)
FYI about VPNs, they encrypt unencrypted traffic only part of the way. Everything is still unencrypted between the VPN server and the server you are connecting to. Just thought I’d say this because a lot of VPN ads are very misleading about this.
I use NextDNS and I do have a subscription, currently using it on my router via DNS over HTTPS.
It is an excellent service (like a Pi-Hole on cloud) and I like how it does things like logging and analytics.
For using it in iOS you shouldn’t need to use the app, just install a (signed) profile via apple.nextdns.io and it will be configured natively (this is Apple’s approved way to use 3rd party private DNS).
I use this profile method and just made an exception to my home & work wifi network but will always use it otherwise (on mobile network or any other wifi networks)
Nice that’s a good insight, what is your opinion on iCloud relay vs Nextdns based on the pros and cons?
Just know that one of THE blocklist creators, HaGezi, dropped his recommendation for Nextdns because of the bad support. I still use Nextdns but I’m moving to another DNS provider.
why dropped? do you have link to the reason?
What dns will you switch to?
control d. I have been testing for about 24 hours now and it resolves fast. I’m going to keep using both for at least a month before I decide.
Contrary to common believe, iCloud Private Relay and NextDNS are compatible and can both be enabled at the same time, see page 10 of https://www.apple.com/icloud/docs/iCloud_Private_Relay_Overview_Dec2021.pdf. When you try to visit a blocked hostname in Safari, you’ll see that it won’t work. This is something that I’ve personally confirmed.
What NextDNS solves and iCloud Private Relay doesn’t, is blocking hostnames system wide, thereby completely blocking some ads and tracking. What iCloud Private Relay solves is hiding your browsing traffic a bit better within your local network and from your ISP, as well as hiding your IP from trackers and hiding your identity from their DNS resolver (not from NextDNS, though).
Some background information why using HTTPS together with encrypted DNS doesn’t fully hide which websites you visit (yet): https://blog.cloudflare.com/announcing-encrypted-client-hello.
If I had to choose, I’d go with NextDNS for system wide blocking and I’d add an adblocker browser extension to block trackers and ads that can’t be blocked with DNS based blocking. But you don’t have to choose and can use both at the same time.
That’s interesting I appreciate the information, so in your suggestion you’d use NextDNS and not iCloud relay and instead use an adguard for safari?
Unless I miss interpreted what you meant, and also I’ve seen people have some issues when using both iCloud relay and NextDNS together, mainly that NextDNS keeps switching between “all good” and “you are using cloudflare or iCloud as a resolver”
So for some reason Apple keeps using their DNS resolver even with a custom DoH resolver configured, but in my testing it didn’t affect the blocking capabilities of NextDNS at all, meaning that the answers from their resolver are just ignored (or used for some other purpose). The way NextDNS knows that you’re using another resolver is by letting the browser resolve some unique hostnames, so that way it will show up even if the answers from that resolver aren’t used. As to why Apple does this I don’t know. In theory it could be the case that Apple just used whichever answer arrives first and that NextDNS just happened to be faster in my testing, but that doesn’t match with how it’s documented in their PDF.
Which one to pick (if you don’t just want to use them at the same time) depends on what your goal is. I use iCloud Private Relay + NextDNS + AdGuard, but nowadays I mainly use another browser with a built-in adblocker, so iCloud Private Relay and AdGuard aren’t used in that case.
I use NextDNS everywhere I can and use a list that prioritizes not breaking anything. It’s a nice backstop. It’s not a replacement for an in-browser adblocker in my opinion, unless you don’t care that it’s less effective.
That’s interesting because when I used a dns leak website it shows both iCloud relay and NextDNS so from my understanding it’s most likely better to use iCloud relay on its own or NextDNS on its own but since the thought came to mind I thought I’d get other opinions.
I mean out of interest how did you set up NextDNS on your iPhone? Im assuming it was from the configuration page on their website?
If so did you just install it whilst iCloud relay was on and then choose NextDNS from the device management menu?
And what settings did you change to make it work correctly?
Again thanks for the info and sorry for the stupid questions just kinda getting an idea of a good way to set it up correctly.
If the iCloud Private Relay ODoH DNS server is used it will show up as a DNS leak, even if the IP address from its response isn’t used for browsing. For privacy it doesn’t matter, as with ODoH the DNS resolver doesn’t know your IP or identity, the most important thing is whether it will bypass the NextDNS blocklist. In my testing I couldn’t visit any website that was blocked by NextDNS, meaning that the iCloud DNS resolver wasn’t used as the primary DNS resolver, which matches with their documentation (that page 10 that I linked to earlier). Note that Apple will only use a custom DNS resolver if you’re using the native DoH option, so for example the configuration that you can get from https://apple.nextdns.io/.
You can easily test it yourself: block a hostname in NextDNS that you haven’t visited recently (due to cache) and try to visit it in Safari.
I don’t know why Apple still uses the Cloudflare DNS resolver even if it seems to be ignoring its responses. Maybe they use it for some custom metadata that’s sent along with the request which somehow is important for the relay. All I know is that I’ve never seen it bypassing the NextDNS blocklist, which again is exactly how it’s documented by Apple.
I’ll give it another try, did you add the mask iCloud website to your allow list?
A few people say you need to add the correct links in order for apple services to still work.
I know mail needs a link on the allow list and so does the mask relay links aswell.
I did read apples docs about it but haven’t seen anything about if I need ti add anything in the allow list.
I’m not sure, it depends on your configuration and blocking list. I don’t use native tracking protection, and my blocklist (oisd) prioritizes functionality over blocking, so in my case everything just works and I don’t have anything special added to my whitelist. I don’t like DNS blocking to be in the way and I also share my configuration with some family members, so that’s why I’ve made this choice, but if you prefer a stricter approach you might have to do some whitelisting.
the nextdns app hasn’t been updated for about 3years on iOS
probably because it doesn’t require an app to set up: https://apple.nextdns.io/
Ahhh I forgot about that, thanks for the reminder :)
Still on the fence in terms of what to use