NextDNS and Apple Private Relay

I am attempting to find out if using NextDNS with Private Relay defeats the privacy protections of Private Relay.

From Apple’s documentation it states for Custom DNS settings that:

If a user has configured custom-encrypted DNS settings using a profile or an app, the DNS server specified will be used instead of ODoH. Safari connections and all unencrypted HTTP connections will also resolve names using the specified DNS server prior to routing through Private Relay.

Source: Apple PDF

It is this ‘prior to routing’ that I am concerned about. Will an ISP or other observer on the network be able to see this traffic? Does having custom DNS with Private relay defeat the purpose?

NextDNS commented on this in their forums (which they don’t respond to very frequently unfortunately) with the statement below but does not seem to answer my question though that may be due to ignorance on my part.

The current behavior and most likely the behavior of the release is that iOS (and macOS) when Private Relay is enable is using NextDNS only to check if a domain is blocked, but uses the Private Relay’s DNS (Cloudflare, Akamai…) for the actual DNS resolution (all DNS request are duplicated).

Source: NextDNS Forums

Any help figuring out the details here would be greatly appreciated. If Private Relay works without compromising privacy with NextDNS that would be awesome.

No. Since the DNS queries are encrypted.
From cloudflare:

DNS over TLS and DNS over HTTPS are two standards developed for encrypting plaintext DNS traffic in order to prevent malicious parties, advertisers, ISPs, and others from being able to interpret the data.

Kinda yes because you are trusting DNS Resolver (in this case NextDNS). NextDNS can see your IP address and DNS queries.

If there was no specified DNS resolver setup, Private relay will use Oblivious DNS over HTTPS (currently Private Relay use Cloudflare public resolver). Apple introduced ODoH to prevent even the DNS resolvers from collecting DNS traffic by separating the identity of the requester from the content of the query (this is a very simplified explanation of what’s happening).

Ultimately, it comes down to if you trust NextDNS.

I hope that answered your question.

1 Like

Thank you! I think my misunderstanding was with the flow of the traffic. From an outside observer, like my ISP, they would see me connect to the IP address of the NextDNS server but the content of the traffic is encrypted. This is Normal DoH. In the process anything on the block list is stripped out before the next step in the traffic flow.

Then my device connects to the first ‘hop’ of Private Relay. The ISP sees I’m connecting to PR IP address but not the traffic content which is encrypted. From there the traffic origin is anonymized to the second PR server which only knows the destination.

So overall this is a pretty good privacy and security set up for Safari traffic (as long as you trust Apples PR implementation) but the trade off is the time wasted on an extra DNS look up at the second PR server.

So I may have a speed penalty but not a security or privacy one via using NextDNS with PR.

Thank you again for helping me learn.