DNS Traffic Dropped as Threat Due to iCloud Private Relay Domains categorized under Proxy Avoidance and Anonymizers

• DNS traffic to the following domains is blocked as a security threat:

mask-h2.icloud.com
mask.apple-dns.net
mask.icloud.com

• Threat logs indicate Threat ID: 109010004, Threat/Content name: Proxy:mask.apple-dns.net(109010004) action as drop.
• Users may experience connectivity issues when browsing or using apps that rely on Private Relay.
• The firewall categorizes the domains as Proxy Avoidance and Anonymizers and drops the traffic.

• PA-Firewall 
• Any PAN-OS above 8.0
• Apple devices
• iCloud Private Relay 

• iCloud Private Relay encrypts and routes traffic through Apple’s proxy servers to mask users' IP addresses.
• Palo Alto Networks' security categorization lists these domains under Proxy Avoidance and Anonymizers in PAN-DB
• Enterprise security policies typically block anonymizing services to prevent users from bypassing DNS and web filtering controls.

Users can add any resolution below as per their security requirements:

1. Add an Exception if it's legit traffic:
Customers can add a DNS exception for these FQDNs in the anti-spyware policy to allow the domains if they trust iCloud Private Relay.

Objects -> Security Profiles -> Anti-Spyware -> DNS Exceptions -> Add Domain/FQDN.

2. Disable iCloud Private Relay (For Corporate Networks Requiring Full Visibility):
On the affected Apple device follow below:

Settings > Apple ID > iCloud > Private Relay and toggle it off

This will ensure network policies remain enforced and traffic is visible to the security team.

• More details on iCloud Private Relay domains can be found on Apple’s support page.
• Palo Alto Networks Threat Vault may provide updates on the classification of these domains. 
• For subdomains, use a wildcard, such as *.apple-dns.net.
• If users experience issues after allowing the domains, they should verify the security logs and perform further traffic analysis.