rtcreportingd connecting to non-apple servers (chinese ip addresses)

Question

peaceful_sea Author

Level 1

4 points

rtcreportingd connecting to non-apple servers (chinese ip addresses)

I have multiple apple devices (ipad, apple tv, mac mini) attempting to make connections to remote servers in China.

A few of the ip addresses:

183.134.11.22

42.231.143.113

(there are many others but they are similar)

My firewall has blocked and logged these attempts going back a month or so. The blocks don't impact anything.

The servers do not appear to be apple servers, based on what I can find. Yet the connections do not appear to be coming from any third party non-apple apps. My factory reset devices (ipad, apple tv) with no apps on them still try to make the connections to 183.134.11.22 and others.

Investigating further on one of the machines, a "factory fresh" dfu restored mac mini (no non-apple apps, never signed into an icloud account), I was eventually able to catch one of the connection attempts and determine it was coming from a service called "rtcreportingd" which I gather may be some sort of telemetry thing related to facetime/imessage (rtc=real time connection)?

Can anyone explain why rtcreportingd might be trying to make daily connections to these random Chinese hosting providers? I can't imagine why facetime telemetry (from an apple tv where facetime has never even been used by the way), would not get sent to apple servers at the 17.x.x.x ip address range apple uses, or at least to known CDNs like akamai and fastly in my general region.

If it's not normal behavior, but possibly representative of malware or hacking, wouldn't a factory reset have removed it?

Is there a way to display the dns cache on apple devices or to determine what dns query might have retrieved a specific ip address? I've tried setting DNS on the devices manually hoping it might solve the problem and return local rather than chinese ip addresses, but that did not make any difference. And it's hard to investigate any further without being able to tell how automatic DNS works because I don't see the dns queries for these ip addresses at my network. I suspect the ip addresses might be coming from apple's private queries to it's own internal dns, which I think may be "doh.dns.apple". I am new to apple, so any help or guidance is very appreciated.

Mac mini (M4)

Posted on Jul 7, 2025 3:07 PM

Reply

Answer 1

leroydouglas

Level 10

200,652 points

Jul 7, 2025 3:37 PM in response to peaceful_sea

peaceful_sea wrote:

possibly representative of malware or hacking,

No.

I would find something else to fixate over.

if you want to cut down on reporting to be pro-active try turning off A & Improvement reports:

Reply

Answer 2

peaceful_sea Author

Level 1

4 points

Jul 9, 2025 10:40 AM in response to Yer_Man

Appreciate the response.

My concern was that these ip addresses may not be where Apple wants to route to, but may instead be the result of some issue with DNS between the devices and whatever DNS server (my ISP’s, google dns, doh.dns.apple) is handing back the ip addresses.

Even if Apple devices cannot be exploited, DNS can be targeted by bad actors and that’s why I was asking about seeing the dns cache and other ways to troubleshoot or get insight around Mac dns.

Setting dns manually on the devices didn’t have an impact, so presumably I can rule out dns issues and go with the assumption that these ip addresses (which don’t seem to be signed by any apple certificates) are where rtcreportingd should be sending data. Normal behaviour as you say.

I’m aware of programs like little snitch and lulu and just wonder why, if this is normal behavior, there aren’t more reports from those users about unexpected calls out to china.

Maybe I can sniff the traffic (tcpdump?) or run traffic through privoxy (referenced in popular hardening guides) and see what’s being sent to the addresses? I have analytics off already, so in theory any uploaded analytics files would be devoid of personal information.

In any case, I appreciate the advice and opinions from the experts here. Thank you!

Reply

Answer 3

Yer_Man

Level 10

166,098 points

Jul 7, 2025 3:38 PM in response to peaceful_sea

This is normal behaviour. There is nothing to be concerned about.Why Apple route this material to servers in China is a question only they can answer.

Reply