CU 201 DNS Firewall and Apple devices

Network DNS
1

My upgrade to CU 201 went seamlessly. After activating some lists of the new DNS Firewall, e.g. like DNS-over-HTTPS, many services on my apple devices were not functioning as expected. E.g. pictures in ‘Messages’ are not downloaded, the app ‘Find my’ is not working at all and more ..
Blocking DNS-over-HTTPS is conflicting obviously with Apple’s proprietary DNS over HTTPS approach.

Also the online news of ‘www.spiegel.de’ did not show up properly..

Finally, I got these problems solved by adding these allowed domains in the DNS Firewall WUI:

icloud-content.com
apple.com
apple-dns.net
token.safebrowsing.apple
icloud.com
spiegel.de
cdn.prod.www.spiegel.de.edgesuite.net
mzstatic.com

With these allowed domains, the blocking of the other selected lists is working both on apple and non-apple devices.

Question: Is this a good approach or are there better approaches?

2

Depends, which approach you mean. The allowance on IPFire or the use of DoH. :wink:

Are the exceptions defined all necessary, are these domains logged as blocked by DoH DNS filter?

BTW: I have no problems in accessing www.spiegel.de, no blocks by the DNS firewall. Restrictions exist because of the Spiegel policy ( reading of articles with registration only ).

3

Thanks Bernhard for your swift reply.

I’ve removed based on your feedback the Spiegel related allowed domains, and surprise, surprise: Spiegel can be accessed. Unfortunately I cannot reproduce my previous problem with Spiegel.

Concerning the apple services, I haven’t tested all allowed Apple domains, but some I were able to see in the ipfire system log for unbound.

Here some unbound messages:

07:04:40 unbound: [2546:1] info: rpz: applied [doh.rpz.ipfire.org] mask-api.icloud.com. rpz-nxdomain 192.168.X.Y@58848 mask-api.icloud.com. HTTPS IN
07:04:40 unbound: [2546:3] info: rpz: applied [doh.rpz.ipfire.org] *.apple-dns.net. rpz-nxdomain 192.168.X.Y@54403 acsegateway.fe2.apple-dns.net. A IN

07:04:43 unbound: [2546:2] info: rpz: applied [doh.rpz.ipfire.org] mask-api.icloud.com. rpz-nxdomain 192.168.X.Y@59834 mask-api.icloud.com. A IN

In my old system log, I found this entry concerning Spiegel:

07:42:53 unbound: [2546:1] info: rpz: applied [smart-tv.rpz.ipfire.org] *.edgesuite.net. rpz-nxdomain 192.168.X.Y@57969 cdn.prod.www.spiegel.de.edgesuite.net. A IN

Interestingly, despite the smart-tv list is still active, I do not get this message any more.

4

For apple stuff:

Allow this for Apple login and many other Apple services:
fe2.apple-dns.net

Allow this for Apple updates (OS & App updates):
xp.apple.com

That is all I found so far. I am still experimenting…

If you enabled the Apple Private Relay, then you will need other apple sites in the allow list. Private Relay seems to rely on Apple DoH. ( I don’t use Private Relay so I don’t have any advice. )

Screenshot 2026-05-02 at 3.47.53 PM
Screenshot 2026-05-02 at 3.47.53 PM940×534 66.9 KB

5

Thanks, Jon.

Please keep me posted here on your experimentation results.

6

I reduced my list of allowed domains in IPFire CU 201’s WUI to just 4 entries

icloud.com
apple.com
safebrowsing.apple
apple-dns.net

Unfortunately, I need to reboot IPFire after each change of allowed domains. Such tests are quite time consuming.

The DoH list of the DNS Firewall is including the following Apple domains:

grep apple /var/cache/unbound/doh.rpz.ipfire.org.zone
proxy.safebrowsing.apple.doh.rpz.ipfire.org. 60 IN CNAME .
*.proxy.safebrowsing.apple.doh.rpz.ipfire.org. 60 IN CNAME .
token.safebrowsing.apple.doh.rpz.ipfire.org. 60 IN CNAME .
*.token.safebrowsing.apple.doh.rpz.ipfire.org. 60 IN CNAME .
doh.dns.apple.com.v.aaplimg.com.doh.rpz.ipfire.org. 60 IN CNAME .
*.doh.dns.apple.com.v.aaplimg.com.doh.rpz.ipfire.org. 60 IN CNAME .
doh-dns-apple-com.v.aaplimg.com.doh.rpz.ipfire.org. 60 IN CNAME .
*.doh-dns-apple-com.v.aaplimg.com.doh.rpz.ipfire.org. 60 IN CNAME .
doh.dns.apple.com.doh.rpz.ipfire.org. 60 IN CNAME .
*.doh.dns.apple.com.doh.rpz.ipfire.org. 60 IN CNAME .
dns.applewebkit.dev.doh.rpz.ipfire.org. 60 IN CNAME .
*.dns.applewebkit.dev.doh.rpz.ipfire.org. 60 IN CNAME .
adguard.richardapplegate.io.doh.rpz.ipfire.org. 60 IN CNAME .
*.adguard.richardapplegate.io.doh.rpz.ipfire.org. 60 IN CNAME .
adguard2.richardapplegate.io.doh.rpz.ipfire.org. 60 IN CNAME .
*.adguard2.richardapplegate.io.doh.rpz.ipfire.org. 60 IN CNAME .
apple-dns.net.doh.rpz.ipfire.org. 60 IN CNAME .
*.apple-dns.net.doh.rpz.ipfire.org. 60 IN CNAME .

and

grep icloud /var/cache/unbound/doh.rpz.ipfire.org.zone
mask.icloud.com.doh.rpz.ipfire.org. 60 IN CNAME .
*.mask.icloud.com.doh.rpz.ipfire.org. 60 IN CNAME .
mask-api.icloud.com.doh.rpz.ipfire.org. 60 IN CNAME .
*.mask-api.icloud.com.doh.rpz.ipfire.org. 60 IN CNAME .
mask-canary.icloud.com.doh.rpz.ipfire.org. 60 IN CNAME .
*.mask-canary.icloud.com.doh.rpz.ipfire.org. 60 IN CNAME .
mask-h.icloud.com.doh.rpz.ipfire.org. 60 IN CNAME .
*.mask-h.icloud.com.doh.rpz.ipfire.org. 60 IN CNAME .
mask-h2.icloud.com.doh.rpz.ipfire.org. 60 IN CNAME .
*.mask-h2.icloud.com.doh.rpz.ipfire.org. 60 IN CNAME .

Using DNSLEAKTEST or browserleaks it is possible to identify the DNS servers used by a browser, e.g. Firefox or Safari.
In my case, only the DNS servers specified in IPFires Network → Domain Name System WUI got listed. Despite, I am not yet 100% sure that my Apple devices are never making use of Apple’s DoH..

There is a possibility for apple devices to enforce the usage of DoT with a .mobileconfig profile, e.g. here or here. However, I’ve not yet experimented with this approach.

Does anybody here have experience using .mobileconfig in conjunction with IPFire’s DNS Firewall?

7

Keep in mind if the DoH sites are open, then there is an easy wayaround” the DNS Firewall.

I have many different type of Apple devices and I haven’t found anything that doesn’t work (yet) with the two above recommended sites.

8

I went from 199 to 201, with a restore from the 199, and found i was no longer able to access my bank via its app from my apple device. Reading this blog it seems that it is related to apple’s domains. I had to use VPN to get around that. I will later try the recommended whitelisting of those apple domains.

However, when i went to check the ipFire’s DNS Servers status, i clicked “Check DNS Servers” and although the statuses came back as “ok”, the main status indicator on the top left indicated “broken” in red.

I’d love to display my screencapture, but don’t know how to do that in this blog.

Rej

9

Hi Jon,

Based on your statement, I’ve set in IPFire’s DNS Firewall just your two allowed domains:

fe2.apple-dns.net
xp.apple.com

After a reboot and waiting some minutes until DNS service is back, I tried to send a camera picture per iMessage from one of my Apple devices (IP is 1192.168.X.X below) to another Apple device (IP is 1192.168.X.Y below).

It did not work: The picture cant be delivered.
In IPfire system log for unbound I am getting these messages:

08:56:03 unbound: [2546:2] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@64027 gateway.fe2.apple-dns.net. A IN
08:56:03 unbound: [2546:2] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:56:03 unbound: [2546:0] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@50000 content.fe2.apple-dns.net. HTTPS IN
08:56:03 unbound: [2546:0] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@57842 content.fe2.apple-dns.net. A IN
08:56:03 unbound: [2546:0] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@57049 content.fe2.apple-dns.net. HTTPS IN
08:56:03 unbound: [2546:0] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:56:03 unbound: [2546:0] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@50088 content.fe2.apple-dns.net. HTTPS IN
08:56:03 unbound: [2546:0] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:56:03 unbound: [2546:1] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@58756 content.fe2.apple-dns.net. A IN
08:56:03 unbound: [2546:1] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:56:04 unbound: [2546:0] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@58781 content.fe2.apple-dns.net. HTTPS IN
08:56:04 unbound: [2546:0] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:56:04 unbound: [2546:2] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@57757 content.fe2.apple-dns.net. A IN
08:56:04 unbound: [2546:2] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:56:04 unbound: [2546:0] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@61264 content.fe2.apple-dns.net. HTTPS IN
08:56:04 unbound: [2546:1] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@50059 content.fe2.apple-dns.net. A IN
08:56:04 unbound: [2546:1] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:56:04 unbound: [2546:0] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:56:09 unbound: [2546:1] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@56729 content.fe2.apple-dns.net. A IN
08:56:09 unbound: [2546:1] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:56:09 unbound: [2546:3] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@49911 content.fe2.apple-dns.net. HTTPS IN
08:56:09 unbound: [2546:3] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:56:09 unbound: [2546:3] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@63811 content.fe2.apple-dns.net. HTTPS IN
08:56:09 unbound: [2546:3] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:56:09 unbound: [2546:2] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@63585 content.fe2.apple-dns.net. A IN
08:56:09 unbound: [2546:2] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:56:50 unbound: [2546:0] info: rpz: applied [ads.rpz.ipfire.org] *.courier-push-apple.com.akadns.net. rpz-nxdomain 192.168.X.Y@55107 17.courier-push-apple.com.akadns.net. HTTPS IN
08:56:50 unbound: [2546:3] info: rpz: applied [ads.rpz.ipfire.org] *.courier-push-apple.com.akadns.net. rpz-nxdomain 192.168.X.Y@60642 17.courier-push-apple.com.akadns.net. A IN
08:56:50 unbound: [2546:1] info: rpz: applied [ads.rpz.ipfire.org] *.courier-push-apple.com.akadns.net. rpz-nxdomain 192.168.X.Y@55159 43.courier-push-apple.com.akadns.net. HTTPS IN
08:56:50 unbound: [2546:3] info: rpz: applied [ads.rpz.ipfire.org] *.courier-push-apple.com.akadns.net. rpz-nxdomain 192.168.X.Y@61164 43.courier-push-apple.com.akadns.net. A IN
08:56:50 unbound: [2546:0] info: rpz: applied [ads.rpz.ipfire.org] *.courier-push-apple.com.akadns.net. rpz-nxdomain 192.168.X.Y@61995 43.courier-push-apple.com.akadns.net. HTTPS IN
08:56:50 unbound: [2546:0] info: rpz: applied [ads.rpz.ipfire.org] *.courier-push-apple.com.akadns.net. rpz-nxdomain 192.168.X.Y@55096 43.courier-push-apple.com.akadns.net. A IN
08:57:04 unbound: [2546:3] info: rpz: applied [ads.rpz.ipfire.org] *.courier-push-apple.com.akadns.net. rpz-nxdomain 192.168.X.Y@55825 26.courier-push-apple.com.akadns.net. HTTPS IN
08:57:04 unbound: [2546:3] info: rpz: applied [ads.rpz.ipfire.org] *.courier-push-apple.com.akadns.net. rpz-nxdomain 192.168.X.Y@53142 26.courier-push-apple.com.akadns.net. A IN
08:57:04 unbound: [2546:3] info: rpz: applied [ads.rpz.ipfire.org] *.courier-push-apple.com.akadns.net. rpz-nxdomain 192.168.X.Y@53053 26.courier-push-apple.com.akadns.net. HTTPS IN
08:57:04 unbound: [2546:3] info: rpz: applied [ads.rpz.ipfire.org] *.courier-push-apple.com.akadns.net. rpz-nxdomain 192.168.X.Y@57779 26.courier-push-apple.com.akadns.net. A IN
08:57:06 unbound: [2546:3] info: rpz: applied [doh.rpz.ipfire.org] *.apple-dns.net. rpz-nxdomain 192.168.X.X@57640 gateway-asset.ce.apple-dns.net. HTTPS IN
08:57:06 unbound: [2546:1] info: rpz: applied [doh.rpz.ipfire.org] *.apple-dns.net. rpz-nxdomain 192.168.X.X@59035 gateway-asset.ce.apple-dns.net. A IN
08:57:06 unbound: [2546:2] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@49886 content.fe2.apple-dns.net. HTTPS IN
08:57:06 unbound: [2546:2] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:57:06 unbound: [2546:1] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@55618 content.fe2.apple-dns.net. A IN
08:57:06 unbound: [2546:1] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:57:06 unbound: [2546:0] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@54858 content.fe2.apple-dns.net. A IN
08:57:06 unbound: [2546:0] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:57:06 unbound: [2546:0] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@52410 content.fe2.apple-dns.net. HTTPS IN
08:57:06 unbound: [2546:0] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:57:07 unbound: [2546:2] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@65327 content.fe2.apple-dns.net. HTTPS IN
08:57:07 unbound: [2546:2] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:57:07 unbound: [2546:2] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@50789 content.fe2.apple-dns.net. A IN
08:57:07 unbound: [2546:2] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:57:07 unbound: [2546:1] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@57700 content.fe2.apple-dns.net. HTTPS IN
08:57:07 unbound: [2546:1] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:57:07 unbound: [2546:1] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@63169 content.fe2.apple-dns.net. A IN
08:57:07 unbound: [2546:1] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:57:13 unbound: [2546:0] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@63399 content.fe2.apple-dns.net. A IN
08:57:13 unbound: [2546:2] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@53376 content.fe2.apple-dns.net. HTTPS IN
08:57:13 unbound: [2546:0] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:57:13 unbound: [2546:2] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:57:19 unbound: [2546:0] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@51432 content.fe2.apple-dns.net. HTTPS IN
08:57:19 unbound: [2546:3] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@62113 content.fe2.apple-dns.net. A IN
08:57:19 unbound: [2546:0] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:57:19 unbound: [2546:3] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:57:19 unbound: [2546:3] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@64519 content.fe2.apple-dns.net. A IN
08:57:19 unbound: [2546:3] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:57:19 unbound: [2546:0] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@58026 content.fe2.apple-dns.net. HTTPS IN
08:57:19 unbound: [2546:0] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:57:25 unbound: [2546:1] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@59226 content.fe2.apple-dns.net. A IN
08:57:25 unbound: [2546:1] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:57:25 unbound: [2546:1] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@58240 content.fe2.apple-dns.net. HTTPS IN
08:57:25 unbound: [2546:1] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:57:46 unbound: [2546:3] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@59675 content.fe2.apple-dns.net. HTTPS IN
08:57:46 unbound: [2546:3] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:57:46 unbound: [2546:2] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@56217 content.fe2.apple-dns.net. A IN
08:57:46 unbound: [2546:2] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:58:01 unbound: [2546:3] info: rpz: applied [ads.rpz.ipfire.org] *.iadsdk.apple.com. rpz-nxdomain 192.168.X.Y@59027 tr.iadsdk.apple.com. HTTPS IN
08:58:01 unbound: [2546:1] info: rpz: applied [ads.rpz.ipfire.org] *.iadsdk.apple.com. rpz-nxdomain 192.168.X.Y@49761 tr.iadsdk.apple.com. A IN
08:58:04 unbound: [2546:1] info: rpz: applied [ads.rpz.ipfire.org] *.courier-push-apple.com.akadns.net. rpz-nxdomain 192.168.X.Y@55535 22.courier-push-apple.com.akadns.net. A IN
08:58:04 unbound: [2546:1] info: rpz: applied [ads.rpz.ipfire.org] *.courier-push-apple.com.akadns.net. rpz-nxdomain 192.168.X.Y@52438 22.courier-push-apple.com.akadns.net. HTTPS IN
08:58:04 unbound: [2546:3] info: rpz: applied [ads.rpz.ipfire.org] *.courier-push-apple.com.akadns.net. rpz-nxdomain 192.168.X.Y@63517 22.courier-push-apple.com.akadns.net. HTTPS IN
08:58:04 unbound: [2546:1] info: rpz: applied [ads.rpz.ipfire.org] *.courier-push-apple.com.akadns.net. rpz-nxdomain 192.168.X.Y@52429 22.courier-push-apple.com.akadns.net. A IN
08:58:05 unbound: [2546:2] info: rpz: applied [custom] xp.apple.com. rpz-passthru 192.168.X.Y@52381 xp.apple.com. HTTPS IN
08:58:05 unbound: [2546:1] info: rpz: applied [custom] xp.apple.com. rpz-passthru 192.168.X.Y@59436 xp.apple.com. A IN
08:58:19 unbound: [2546:2] info: rpz: applied [doh.rpz.ipfire.org] *.apple-dns.net. rpz-nxdomain 192.168.X.X@61395 gateway-asset.ce.apple-dns.net. HTTPS IN
08:58:19 unbound: [2546:3] info: rpz: applied [doh.rpz.ipfire.org] *.apple-dns.net. rpz-nxdomain 192.168.X.X@63872 gateway-asset.ce.apple-dns.net. A IN
08:58:20 unbound: [2546:2] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@49524 content.fe2.apple-dns.net. A IN
08:58:20 unbound: [2546:3] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@59317 content.fe2.apple-dns.net. HTTPS IN
08:58:20 unbound: [2546:2] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:58:20 unbound: [2546:3] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:58:20 unbound: [2546:1] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@60657 content.fe2.apple-dns.net. A IN
08:58:20 unbound: [2546:0] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.X.X@60369 content.fe2.apple-dns.net. HTTPS IN
08:58:20 unbound: [2546:1] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:58:20 unbound: [2546:0] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:58:30 unbound: [2546:0] info: rpz: applied [doh.rpz.ipfire.org] mask.icloud.com. rpz-nxdomain 192.168.2.22@50221 mask.icloud.com. HTTPS IN
08:58:30 unbound: [2546:2] info: rpz: applied [doh.rpz.ipfire.org] mask.icloud.com. rpz-nxdomain 192.168.2.22@58260 mask.icloud.com. A IN
08:58:38 unbound: [2546:0] info: rpz: applied [doh.rpz.ipfire.org] mask-api.icloud.com. rpz-nxdomain 192.168.X.X@61981 mask-api.icloud.com. HTTPS IN
08:58:38 unbound: [2546:3] info: rpz: applied [doh.rpz.ipfire.org] mask-api.icloud.com. rpz-nxdomain 192.168.X.X@61618 mask-api.icloud.com. A IN
08:58:44 unbound: [2546:1] info: rpz: applied [doh.rpz.ipfire.org] mask-api.icloud.com. rpz-nxdomain 192.168.2.22@59587 mask-api.icloud.com. HTTPS IN
08:58:44 unbound: [2546:3] info: rpz: applied [doh.rpz.ipfire.org] mask-api.icloud.com. rpz-nxdomain 192.168.2.22@59766 mask-api.icloud.com. A IN
08:59:04 unbound: [2546:0] info: rpz: applied [ads.rpz.ipfire.org] *.courier-push-apple.com.akadns.net. rpz-nxdomain 192.168.X.Y@55671 40.courier-push-apple.com.akadns.net. HTTPS IN
08:59:04 unbound: [2546:3] info: rpz: applied [ads.rpz.ipfire.org] *.courier-push-apple.com.akadns.net. rpz-nxdomain 192.168.X.Y@55021 40.courier-push-apple.com.akadns.net. A IN
08:59:38 unbound: [2546:2] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.2.22@51628 gateway.fe2.apple-dns.net. HTTPS IN
08:59:38 unbound: [2546:3] info: rpz: applied [custom] *.fe2.apple-dns.net. rpz-passthru 192.168.2.22@64665 gateway.fe2.apple-dns.net. A IN
08:59:38 unbound: [2546:2] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN
08:59:38 unbound: [2546:3] info: rpz: applied [doh.rpz.ipfire.org] apple-dns.net. rpz-nxdomain apple-dns.net. DS IN

10

“yet” just arrived. Found one more domain related to “a routing node to deliver real-time notifications—such as messages, app alerts, and emails—to iOS and macOS devices.”

I just added this to the allow list:

courier-push-apple.com.akadns.net
11

I’m glad you posted this. I was about to post a similar message. My wife and I have noticed that when we are connected to our home wifi, pictures and emojis fail to send when we text each other. It started about the time I enabled the DNS-over-HTTPS rule in IPFire DNS Firewall. We both use Apple iPhones. So this thread will be useful for me.

On an unrelated topic, I also noticed when I enable the Smart TV rules, our smart TV is basically unusable. None of our streaming channels load properly. So that rule was quickly disabled. Not sure of the purpose of this rule if it completely incapacitates the functionality of the smart TV.

12

Hi Jon,

Thanks for posting your progress. I tested your 3 item allowed domains list:

courier-push-apple.com.akadns.net
fe2.apple-dns.net
xp.apple.com

With this whitelist my problem of not being able to send iMessage pictures to another Apple device does still exist. I will switch back to my 4 item whitelist.

Please try to send a camera picture from iMessage app to another Apple account.

P.S.: The WAF (woman acceptance factor) of IPFire is declining towards zero if Apple devices will not work any more.

13

my driving force is the same! (not your wife, but my wife!)

EDIT:

This is my current test is to help with images:

ce.apple-dns.net

still testing…

EDIT2: This seems to work for me for pictures/images/screenshots.

And this is my current list for Apple Devices:

fe2.apple-dns.net
courier-push-apple.com.akadns.net
ce.apple-dns.net
xp.apple.com

  1. Allow this for Apple login and many other Apple services:
    fe2.apple-dns.net

  2. Allow this for Apple updates (OS & App updates):
    xp.apple.com

  3. Allow this for real-time notifications—such as messages, app alerts, and emails—to iOS and macOS devices.
    courier-push-apple.com.akadns.net

  4. Allow this for Messages.app images:
    ce.apple-dns.net

14

Hi Jon,

Thanks for your extended list of allowed domains.

Using your 4 item list, I can confirm that iMessage pictures can be send and received.

I will from now on use your 4 item list of allowed domains since it is more specific.

Let’s see if the WAF factor is going up to 100% again ..

15

I too am having issues since upgrading to CU 201 and it is quite frustrating.

At this point is there a way to disable the DNS firewall as I have many notifications not coming in to my devices if they are connected to the ipfire network.

Is it correct that the only way to make changes to the DNS firewall for exceptions is to restart ipfire?

Please update the forum as it seems like many people are having these issues

16

There is no need to disable the DNS Firewall. The DNS Firewall is enabled at the moment you select one of the lists. So ‘disable’ means deselecting all lists.

Adding exceptions ( allow or deny ) is done in the WUI page. Pressing ‘save’ reloads unbound. It isn’t necessary to restart unbound or IPFire.

The forum can be ‘updated’ only by rewriting posts by the author(s).
If you refer to the docs, this is the wiki. If you want to enhance it, you are invited to do so. Your community credentials are working with this also.

17

Hi Jack,

Since a few days, I am using the DNS Firewall with @Jon’s list of 4 allowed domains without any noticeable limitations for Apple devices:

xp.apple.com
ce.apple-dns.net
fe2.apple-dns.net
courier-push-apple.com.akadns.net

grafik
grafik987×417 15.5 KB

18

Just a little comment about this modifications.
Allowing some domains for Apple devices mean allowing some propietary solutions of Apple.
A general allowance in the DBL list is no solution. Each admin of a IPFire system should decide this for his own.

19

Are the notifications on Apple Devices?