Question about DoH Canary domains

Mundane-Ad9658 · March 10, 2025, 11:35am

I’ve been using dnscrypt-proxy for a long time, and it’s an amazing project! Thank you to everyone involved, especially its creator, Frank Denis!

I just wanted to ask a quick question regarding the pesky “canary domains” for both Firefox and Apple. They are described in these docs:
Mozilla Support - Canary Domain Use
Apple Developer - Prepare Your Network for iCloud Private Relay

The domains are:

use-application-dns.net
mask.icloud.com
mask-h2.icloud.com

If I’m reading correctly, I have two options:

Reply NXDOMAIN
A NOERROR response with neither A nor AAAA records

For a long time, I have been building my blocked-names.txt with those 3 domains included, and I use blocked_query_response = 'a:0.0.0.0', so I guess I’m not disabling devices from automatically turning on DoH.

I would love any kind of advice on how to tackle this if possible! Thanks in advance for any help!

jedisct1 · March 10, 2025, 11:36am

dnscrypt-proxy already automatically returns NXDOMAIN for use-application-dns.net

The Apple domains are for Private Relay, which is kind of a VPN service. I don’t think it forces usage of a DoH server, but relays everything through the VPN tunnel when explicitly enabled.
Blocking mask.icloud.com and mask-h2.icloud.com doesn’t do the same thing as use-application-dns.net, and I don’t think they should be blocked.

Mundane-Ad9658 · March 10, 2025, 11:36am

Thank you very much for your reply!!! All good then!!!