I put in a configuration profile from NextDNS on my macOS machine to encrypt and observe DNS queries and set my Ethernet DNS servers to localhost (:: and 127.0.0.1) to make sure nothing can bypass it, however it seems that macOS will repeatedly make unencrypted DNS queries for mask-api.icloud.com (over port 53) anyway. (I can see the unencrypted lookup makes an attempt to localhost by way of Wireshark.) (Notice: mask-api.icloud.com is blocked by way of NextDNS.)

Additional, these A and AAAA queries for mask-api.icloud.com are paired with inexplicable PTR queries for lb._dns-sd._udp.0.0.168.192.in-addr.arpa and 0.0.168.192.in-addr.arpa.

I’m questioning if this conduct is taken into account regular, an Apple bug, or an indication of malware and if there’s some solution to disable the undesired queries in macOS. (Notice: Non-public Relay is off since I don’t use an iCloud account on macOS and the “restrict monitoring” characteristic can be off for the Ethernet connection.)

(Additionally regarding is that if this conduct is in iOS too, then it’s presumably not really potential to dam iCloud masking or encrypt all DNS requests on a cell community by way of a configuration profile since iOS doesn’t appear to offer another solution to management cell community DNS servers (i.e., I can’t blackhole the requests to localhost).)