Apples new Private Relay technology looks good and one of the things they say you can do is block it on your network if you want. Brings up an interesting question - how do you block clients from accessing certain IPs or DNS lookup? My sense is maybe you can do it by VLAN or group policy? Is that how? Using cloudflare DNS servers. Ok hip me up.
Solved! Go to Solution.
But let’s say i wanted to block Facebook.com. How would i do that
Ah very good. Thank you.
I don't think that it will be that easy as the MX will not see the request. Same as with Tor, either we block the ingress-nodes or we are blind for the communication.
@KarstenI Yes I think that’s the advice that they gave. To block the ingress node address
I am hoping that someone can confirm my strategy, before me implementing the change to block iCloud Private Relay (iPR).
Apple states, "Some enterprise or school networks might be required to audit all network traffic by policy, and your network can block access to Private Relay in these cases. The user will be alerted that they need to either disable Private Relay for your network or choose another network."
Given that we use Jamf, my Apple admin states we will need to block any use of iPR.
What I read however in the link provided is that:
Cisco Meraki devices allow for filtering of websites by URL, providing both a way to block and whitelist a specific URL or an entire domain. However, when filtering by URL it is important to note that while you can whitelist a child address and block the parent address it is not currently possible to whitelist a parent address and block a child address.
This is a bit confusing to me as I need to black two specific child domains,
I, unfortunately, am not at home where I could test this on my private network before implementing it, so I just want to make sure I am on the right track. I am looking to blacklist the two child domains but not have to whitelist the parent.
** I would want the parent and other child domains to still be accessible.
Am I just overthinking this? Is it as easy as simply blocking the two child domains?
Thank you for the help,
You’re over thinking it, if you want to block those two domains then just add them to the block list that should block them.
The documentation you read about whitelist, blocklist and why you can do it one way and not the other is to do with how rules are processed, in your case it’s not relevant if all you’re trying to do is block those two domains. Whitelists are processed first, and if there is a hit then the domain is allowed. If the domain isn’t listed in the whitelist then the blocklist is tested. When a domain is tested the subdomains are iteratively removed, thus if you whitelist a parent domain it will always hit the parent during testing, and never get tested against the child in the blocklist. Hope this makes a bit more sense now.