kajer :notverified:Had to push firewall policy today stating that mask.apple-dns.net is NOT spyware, and to exclude that domain from the threat logs and to NOT drop that traffic.
:(
John TimaeusI wasn't aware of this until now. Is this another "we don't want anyone else tracking you" scheme like most browsers defaulting to DoH to corporate DNS servers?
@johntimaeus it's a icloud privacy thing? it's well-meaning purpose is to prevent dns leakage if using tunnels IIRC?
Just an old guy screaming at clouds:
If I'm protecting a network, all DNS goes through me. And I run a proper caching server that only believes in root servers.
I generally am against overcontrolling client devices, but they better not be trying to DoH, or hide lookups, because that's one of the easy buttons for detection of stupid breaches.
@johntimaeus I fully agree, and my objection has been "noted"