Basically the way I see it iCloud private relay helps you in terms of safari browsing and keeping your ip hidden and I suppose encrypting unencrypted traffic is a plus.
However iCloud relay also routes your dns queries which yeah is good if you want to see the app transparency report, but doesn’t really help block anything.
From what I know Nextdns is a great service that helps block unwanted connections or trackers, but then you loose the safari advantage.
So I guess the question is, which is the best option for privacy and security?
(Also the nextdns app hasn’t been updated for about 3years on iOS)
If the iCloud Private Relay ODoH DNS server is used it will show up as a DNS leak, even if the IP address from its response isn’t used for browsing. For privacy it doesn’t matter, as with ODoH the DNS resolver doesn’t know your IP or identity, the most important thing is whether it will bypass the NextDNS blocklist. In my testing I couldn’t visit any website that was blocked by NextDNS, meaning that the iCloud DNS resolver wasn’t used as the primary DNS resolver, which matches with their documentation (that page 10 that I linked to earlier). Note that Apple will only use a custom DNS resolver if you’re using the native DoH option, so for example the configuration that you can get from https://apple.nextdns.io/.
You can easily test it yourself: block a hostname in NextDNS that you haven’t visited recently (due to cache) and try to visit it in Safari.
I don’t know why Apple still uses the Cloudflare DNS resolver even if it seems to be ignoring its responses. Maybe they use it for some custom metadata that’s sent along with the request which somehow is important for the relay. All I know is that I’ve never seen it bypassing the NextDNS blocklist, which again is exactly how it’s documented by Apple.
I’ll give it another try, did you add the mask iCloud website to your allow list?
A few people say you need to add the correct links in order for apple services to still work.
I know mail needs a link on the allow list and so does the mask relay links aswell.
I did read apples docs about it but haven’t seen anything about if I need ti add anything in the allow list.
I’m not sure, it depends on your configuration and blocking list. I don’t use native tracking protection, and my blocklist (oisd) prioritizes functionality over blocking, so in my case everything just works and I don’t have anything special added to my whitelist. I don’t like DNS blocking to be in the way and I also share my configuration with some family members, so that’s why I’ve made this choice, but if you prefer a stricter approach you might have to do some whitelisting.