Afternoon all,
A few days ago I installed a pi-hole on my old Raspberry Pi and it’s running a treat, very happy with it, but I noticed that every 15-30 minutes, 24 hours a day, my Vero is requesting DNS for mask.icloud.com and also mask-h2.icloud.com.
I’ve done a grep across the entire system and no files contain this URL - any ideas what it’s about?
Please don’t waste any time on this if you don’t know off the top of your head, it’s just bugging me rather than bugging the system.
Hi,
This should not happen on a fresh OSMC system. I searched and those domains are a new feature of iOS / macOS called ‘Private Relay’.
I’d suggest posting some logs.
Sam
Thanks Sam. I’ve looked through the logs and there no mention of icloud in any shape or form.
I’ll do a self comparison of the actual times to see if anything synchronises.
Nothing, the last entry in the log was at 08:00:32 yet icloud was pinged at 08:09:19.
Debug logging enabled?
Yes
Then it would be really strange, suggest to run tcpdump on the Vero to check the DNS query
I think this is above my skill set but I’ll look into it. The h2 domain is now running hourly but the first one is running every 5 minutes or thereabout (498 occurrences in the last 24 hours.)
TCPDUMP installed and running but “sudo tcpdump -i eth0 -c 100 udp and port 53” is bringing up Gismeteo lookups (for the weather) but it’s not bringing up anything else, even though mask.icloud.com has appeared on the pi-hole.
What command do you recommend?
Means it is not coming from the Vero 
How bizarre, the pi-hole log explicitly states “osmc.lan”
[edit: Thank you for your help.]
Are you using fixed IP addresses? I always would check the IP and not DNS names unless everything is static
The Vero does have a fixed IP address but the Pi-hole log refers to it by osmc.lan and not IP.
If you want to confirm that OSMC isn’t sending those requests, then unplug the device for a couple of hours. You should not get any queries every 15-30 minutes as you previously reported if OSMC is the culprit.
Well blow me down and call me Frank, how on Earth is that possible? What on earth is spoofing osmc.lan?
Issue closed, not OSMC issue.
I’m assuming that we didn’t phone out to mask.icloud.com
Educated guess is that something has used that mDNS hostname and phoned out. Depending on how many devices you have connected, turn them off one by one and you’ll soon find the culprit.
Sam
Yeah I found the culprit but didn’t want to flood my closed thread 
I forgot I had a work iPhone (I rarely use it but it has to be turned on) and when I turned that off the requests stopped.
Pinging “osmc”, “oscmc.lan” and “osmc.local” all correctly resolve to 192.168.0.11 which is the IP of the OSMC and they don’t respond when it’s powered off. This is the address in the Pi-hole log (as ‘osmc.lan’) so I’m thinking there’s a bug in pi-hole as the iPhone is 192.168.0.12 but appears as ‘unknown’ i.e. the DNS doesn’t get a name assigned.
Thanks for clarifying
Sam