kajer :notverified:Had to push firewall policy today stating that mask.apple-dns.net is NOT spyware, and to exclude that domain from the threat logs and to NOT drop that traffic.
:(
John TimaeusI wasn't aware of this until now. Is this another "we don't want anyone else tracking you" scheme like most browsers defaulting to DoH to corporate DNS servers?
@johntimaeus it's a icloud privacy thing? it's well-meaning purpose is to prevent dns leakage if using tunnels IIRC?
Just an old guy screaming at clouds:
If I'm protecting a network, all DNS goes through me. And I run a proper caching server that only believes in root servers.
I generally am against overcontrolling client devices, but they better not be trying to DoH, or hide lookups, because that's one of the easy buttons for detection of stupid breaches.
da_667@johntimaeus @kajer I can appreciate this stance. "You use the DNS I have set up, or you don't go anywhere."
The Psychotic Network Ferret
gary
Internet Rando@johntimaeus @da_667 @kajer The backend dns hosts internal network names. Pi-hole is for the family DNS.
(Mainly so I can take down one or the other (maintenance, upgrades, etc) without affecting service)
Yay overly complicated home labs! 😁
OutsideCasey@johntimaeus @kajer to be honest, for work or school networks, blocking the iCloud privacy and DoH stuff is reasonable. Want to go somewhere else for DNS, no no, everything is funneled to our DNS infra.
@johntimaeus I fully agree, and my objection has been "noted"