iCloud iCloud Private Relay disables Quad9 / NextDNS and offers no malware protection

[Alfred.Woodden]

Enabling Privte Relay bypasses Quad9 / NextDNS and router specific security features such as AiProtect on Asus routers.

Quad9 and NextDNS uses threat intelligence feeds to protect against malware. When you enable Private Relay all those protections gets effectively disabled. I tested this by using two differenct test-malware sites (I will not link to them, for obvious security reasons). With Private Relay off and Quad9 on, the websites would not load in Safari. With Private Relay on, not only did the websites load but one offered to download an .exe file.

This is surprising and quite alarming! Private relay keeps you anonymous, but not safe from malware. Apple needs to add threat intelligence feeds to their service.

 

[ppetrovic]

As far as I've been able to see, Apple uses its own DNS resolvers (or their CDN partners do) that are also DNS-over-HTTPS by default, so no DNS traffic is leaving your devices unencrypted. That being said, they likely don't offer any kind of threat protection, and there appears to be a system-wide limitation when it comes to Private Relay and 3rd party DNS resolvers - same as VPN is active. That's a real bummer and it's one of the reasons why I don't use Private Relay. The other reason is that it's abhorrently slow and renders a 100 mbit/s WiFi connection unusable at times (yes, I realize there's a Beta sticker to it, but still).