I’m not sure, it depends on your configuration and blocking list. I don’t use native tracking protection, and my blocklist (oisd) prioritizes functionality over blocking, so in my case everything just works and I don’t have anything special added to my whitelist. I don’t like DNS blocking to be in the way and I also share my configuration with some family members, so that’s why I’ve made this choice, but if you prefer a stricter approach you might have to do some whitelisting.
oktoberpaard
joined 2 years ago
If the iCloud Private Relay ODoH DNS server is used it will show up as a DNS leak, even if the IP address from its response isn’t used for browsing. For privacy it doesn’t matter, as with ODoH the DNS resolver doesn’t know your IP or identity, the most important thing is whether it will bypass the NextDNS blocklist. In my testing I couldn’t visit any website that was blocked by NextDNS, meaning that the iCloud DNS resolver wasn’t used as the primary DNS resolver, which matches with their documentation (that page 10 that I linked to earlier). Note that Apple will only use a custom DNS resolver if you’re using the native DoH option, so for example the configuration that you can get from https://apple.nextdns.io/.
You can easily test it yourself: block a hostname in NextDNS that you haven’t visited recently (due to cache) and try to visit it in Safari.
I don’t know why Apple still uses the Cloudflare DNS resolver even if it seems to be ignoring its responses. Maybe they use it for some custom metadata that’s sent along with the request which somehow is important for the relay. All I know is that I’ve never seen it bypassing the NextDNS blocklist, which again is exactly how it’s documented by Apple.
So for some reason Apple keeps using their DNS resolver even with a custom DoH resolver configured, but in my testing it didn’t affect the blocking capabilities of NextDNS at all, meaning that the answers from their resolver are just ignored (or used for some other purpose). The way NextDNS knows that you’re using another resolver is by letting the browser resolve some unique hostnames, so that way it will show up even if the answers from that resolver aren’t used. As to why Apple does this I don’t know. In theory it could be the case that Apple just used whichever answer arrives first and that NextDNS just happened to be faster in my testing, but that doesn’t match with how it’s documented in their PDF.
Which one to pick (if you don’t just want to use them at the same time) depends on what your goal is. I use iCloud Private Relay + NextDNS + AdGuard, but nowadays I mainly use another browser with a built-in adblocker, so iCloud Private Relay and AdGuard aren’t used in that case.
I use NextDNS everywhere I can and use a list that prioritizes not breaking anything. It’s a nice backstop. It’s not a replacement for an in-browser adblocker in my opinion, unless you don’t care that it’s less effective.
Contrary to common believe, iCloud Private Relay and NextDNS are compatible and can both be enabled at the same time, see page 10 of https://www.apple.com/icloud/docs/iCloud_Private_Relay_Overview_Dec2021.pdf. When you try to visit a blocked hostname in Safari, you’ll see that it won’t work. This is something that I’ve personally confirmed.
What NextDNS solves and iCloud Private Relay doesn’t, is blocking hostnames system wide, thereby completely blocking some ads and tracking. What iCloud Private Relay solves is hiding your browsing traffic a bit better within your local network and from your ISP, as well as hiding your IP from trackers and hiding your identity from their DNS resolver (not from NextDNS, though).
Some background information why using HTTPS together with encrypted DNS doesn’t fully hide which websites you visit (yet): https://blog.cloudflare.com/announcing-encrypted-client-hello.
If I had to choose, I’d go with NextDNS for system wide blocking and I’d add an adblocker browser extension to block trackers and ads that can’t be blocked with DNS based blocking. But you don’t have to choose and can use both at the same time.
And it does proper split DNS by default, using the search domains of each interface. That way you can configure a global DNS resolver while still being able to resolve local hostnames and without leaking other queries. I just hope they’ll also add DoH support, which is less likely to be blocked on a corporate network.
For me it works fine, but I guess that might be because I use the flatpak version of Firefox.
If you don’t mind, can you then tell me why Europe should be considered its own continent separate from Asia, apart from the fact that we’ve all agreed on that a long time ago? If you check here, they actually agree with it being for historical reasons (check the “Asia and Europe” section): https://en.m.wikipedia.org/wiki/Boundaries_between_the_continents. We’ve all agreed that it’s a continent, so it’s a continent, that’s not something I’m refuting. I’m also aware that calling Eurasia a continent is in that sense false. But you seem to be confident that my statement that it’s for historical reasons rather than geographical ones is nonsense. I’m open to learning something new today.
In the context of the original post, it’s completely irrelevant. Comparing Europe or Eurasia as a continent to the US as a country is not a valid comparison and I’ve said so in my first comment. I could’ve left out that part completely without changing my point.
I’ve always grown up with the idea that Europe is a continent, but if I’m not mistaken there is no geographical basis for that. See for example Wikipedia: https://en.m.wikipedia.org/wiki/Eurasia. But yeah, we all call Europe a continent because of historical reasons and I guess that’s still taught in schools and it makes sense in that context. It’s a matter of definition. In the context of driving long distances this made up border has no meaning of course, which is why brought it up.
The Netherlands is tiny indeed! If you had asked me I would’ve guessed higher than that. You can drive from Groningen in the north to Maastricht in the south in 3.5 hours. Add 30 minutes and you can drive from Groningen to Maastricht spending most of your journey in Germany.
He’s comparing one state to one country (Sweden) and then adds that Europe is not small, which is fair, because the caption says that the “European” mind can’t comprehend this. Europe as a continent is about as big as the US, the European Union is less than half of the size of the US and the individual countries are of course way smaller than the US. Since the EU has open borders, I’d say that comparing the US to the EU is fair and EU member states can be compared to US states. For example: France is about as large as Texas, Germany about as large as Montana and Italy is comparable to New Mexico. There’s a lot of movement between EU countries and some people cross borders every day to go to work or do groceries. The highway/road just continues without interruption.
Europe as a continent is meaningless, though, and then you might as well include Asia, as Europe isn’t an actual continent (Eurasia is the worlds largest continent). You could drive all the way to Eastern China if you’d like, but you’d be crossing multiple borders with border control and visa requirements, so that makes it incomparable to driving within the US.
WSL 1 is a compatibility layer that lets Linux programs run on the Windows kernel by translating Linux system calls to Windows system calls, so in that sense I understand the name: it’s a Windows subsystem for Linux [compatibility]. It doesn’t use the Linux kernel at all. With WSL 2 they’re using a real Linux kernel in a virtual machine, so there the name doesn’t make much sense anymore.