kajer :notverified:Had to push firewall policy today stating that mask.apple-dns.net is NOT spyware, and to exclude that domain from the threat logs and to NOT drop that traffic.
:(
John TimaeusI wasn't aware of this until now. Is this another "we don't want anyone else tracking you" scheme like most browsers defaulting to DoH to corporate DNS servers?
@johntimaeus it's a icloud privacy thing? it's well-meaning purpose is to prevent dns leakage if using tunnels IIRC?
Just an old guy screaming at clouds:
If I'm protecting a network, all DNS goes through me. And I run a proper caching server that only believes in root servers.
I generally am against overcontrolling client devices, but they better not be trying to DoH, or hide lookups, because that's one of the easy buttons for detection of stupid breaches.
OutsideCasey@johntimaeus @kajer to be honest, for work or school networks, blocking the iCloud privacy and DoH stuff is reasonable. Want to go somewhere else for DNS, no no, everything is funneled to our DNS infra.