I've recently taken charge of our Cisco Umbrella deployment and noticed a significant amount of encrypted DNS traffic, particularly DoH. The setup I inherited seems outdated, which makes it quite the challenge to get things organized and plan for the future. Most of the encrypted DNS usage appears on our guest networks, but I'm also observing some internal users and systems utilizing it.
I see considerable traffic going to specific Apple destinations, such as mask.apple-dns.net, apple-native-relay.apple.com, proxy.safebrowsing.apple, and mask.icloud.com. I think it's best not to block these, but I'm still trying to figure out the broader implications of the encrypted DNS traffic. How is everyone else handling web filtering related to encrypted DNS?
1 Answer
For Apple devices, a good practice is to set up an NXDOMAIN record for mask.icloud.com and mask-h2.icloud.com. This essentially informs Apple devices that your network doesn't support iCloud Private Relay. Users will get a pop-up asking them whether to connect to a different network or disable iCloud Private Relay for your network.
You might want to have them do this specifically for your tenant, depending on how you use Umbrella.