DNS leaks on Private Relay

DNS leaking means the DNS traffic is visible to an intermediate host. On current versions, iPad and iPhone prefer to use DoH and DoT. DoH and DoT encrypt DNS traffic. Private Relay further uses ODoH, encrypting and relaying the traffic.

https://www.apple.com/privacy/docs/iCloud_Private_Relay_Overview_Dec2021.PDF

A little light reading:

https://help.apple.com/pdf/security/en_US/apple-platform-security-guide.pdf

Another resource for information about tracking and tracking techniques:

https://www.eff.org/press/releases/test-your-online-privacy-protection-effs-panopticlick

What’s less easy to tell from this side is how many other clients are sharing the same network paths, each becoming harder to distinguish though simplistic means, leading to efforts toward browser fingerprinting, etc.

Hi MrHoffman,

I am convinced that Private Relay is leaking DNS information, including the originating ISP and corresponding IP addresses. There is a flaw in the dual-hop process that allows some sites, at least, to glean your actual ISP/IP — I have been able to replicate this, and so have others. (I reached out to someone whose blog I read regularly, and who has way more technical expertise than me.)

I’ve been using iCloud+ Private Relay for several months. I love the idea of it; its zero trust model makes a ton of sense. But on a whim, I did a few DNS leak tests, just to see what they came up with. Most identified my ISP as iCloud Private Relay, or Akamai or Cloudflare — which was what I expected. However, when I did a DNS leak test on a site called Whoer.net, the list of identified DNS servers included the usual suspects (i.e., Akamai, Cloudflare) but also the name of my actual ISP and IP.

Thoughts? Am I misunderstanding how this might occur? Please give it a shot and post your experiences. Any input gratefully accepted!

Maggot

Today, I got different results — but it was Google that was included in the list of DNS servers. (Possibly more disturbing, cond=sidering their privacy practices.)

The dual-hop architectural model, as I understand it, should conceal these pathways. The only DNS servers that should be visible to any external site are Apple's backbone partners *i.e., Cloudflare, Akamai Technologies, Fastly).

Thanks for respnding, MrHoffman. But as concerning as browser leakage is (and it is!), this is a separate issue, yes? And even browser fingerprinting does not reveal an IP address, as was the case with Private Relay. But the kicker is that if Whoer.net's DNS leak test can detect my ISP, it also means it's likely that my ISP knows where I'm going. (Again, I'm a journalist.)

I don’t know how that particular probe is being done. I don’t have visibility into the DNS resolutions being used, or any other related data that might be available to the site. And I’m presuming the whole effort will be somewhat less than completely effective generally, as that’s the usual measure-countermeasure pattern for all of these efforts. A recent Mozilla Firefox change around cookies will help with tracking, too.

Have a look at Panopticlick linked earlier; there are other leaks possible. Even Tor Browser has occasionally had leaks.