Block a domain - Apple Private Relay

Solved
RumorConsumer
Head in the Cloud

Block a domain - Apple Private Relay

Apples new Private Relay technology looks good and one of the things they say you can do is block it on your network if you want. Brings up an interesting question - how do you block clients from accessing certain IPs or DNS lookup? My sense is maybe you can do it by VLAN or group policy? Is that how? Using cloudflare DNS servers. Ok hip me up.

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
1 Accepted Solution
CptnCrnch
Kind of a big deal
Kind of a big deal

8 Replies 8
KarstenI
Kind of a big deal
Kind of a big deal

I would expect that the relevant sites will end up in the "Proxy Avoidance and Anonymizers" category when the feature is eventually established.

RumorConsumer
Head in the Cloud

But let’s say i wanted to block Facebook.com. How would i do that

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
CptnCrnch
Kind of a big deal
Kind of a big deal

That's an easy one: URL Filtering - Cisco Meraki

RumorConsumer
Head in the Cloud

Ah very good. Thank you.

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
KarstenI
Kind of a big deal
Kind of a big deal

I don't think that it will be that easy as the MX will not see the request. Same as with Tor, either we block the ingress-nodes or we are blind for the communication.

RumorConsumer
Head in the Cloud

@KarstenI Yes I think that’s the advice that they gave. To block the ingress node address

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
EricM_WSC
Comes here often

I am hoping that someone can confirm my strategy, before me implementing the change to block iCloud Private Relay (iPR).  

 

Apple states, "Some enterprise or school networks might be required to audit all network traffic by policy, and your network can block access to Private Relay in these cases. The user will be alerted that they need to either disable Private Relay for your network or choose another network."

 

Given that we use Jamf, my Apple admin states we will need to block any use of iPR.  

 

What I read however in the link provided is that:

 

Cisco Meraki devices allow for filtering of websites by URL, providing both a way to block and whitelist a specific URL or an entire domain. However, when filtering by URL it is important to note that while you can whitelist a child address and block the parent address it is not currently possible to whitelist a parent address and block a child address.

 

This is a bit confusing to me as I need to black two specific child domains,

mask.icloud.com
mask-h2.icloud.com

I, unfortunately, am not at home where I could test this on my private network before implementing it, so I just want to make sure I am on the right track. I am looking to blacklist the two child domains but not have to whitelist the parent. 

 

** I would want the parent and other child domains to still be accessible.

 

Am I just overthinking this? Is it as easy as simply blocking the two child domains?

 

Thank you for the help,

Eric

 

Bruce
Kind of a big deal

You’re over thinking it, if you want to block those two domains then just add them to the block list that should block them.

 

The documentation you read about whitelist, blocklist and why you can do it one way and not the other is to do with how rules are processed, in your case it’s not relevant if all you’re trying to do is block those two domains. Whitelists are processed first, and if there is a hit then the domain is allowed. If the domain isn’t listed in the whitelist then the blocklist is tested. When a domain is tested the subdomains are iteratively removed, thus if you whitelist a parent domain it will always hit the parent during testing, and never get tested against the child in the blocklist. Hope this makes a bit more sense now.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels