I installed a configuration profile from NextDNS on my macOS machine to encrypt and track DNS queries and set my Ethernet DNS servers to localhost (:: and 127.0.0.1) to ensure nothing can bypass it, but it appears that macOS will repeatedly make unencrypted DNS queries for mask-api.icloud.com (over port 53) anyway. (I can see the unencrypted lookup attempts to localhost via Wireshark.) (Note: mask-api.icloud.com is blocked via NextDNS.)
Further, these A and AAAA queries for mask-api.icloud.com are paired with inexplicable PTR queries for lb._dns-sd._udp.0.0.168.192.in-addr.arpa and 0.0.168.192.in-addr.arpa.
I’m wondering if this behavior is considered normal, an Apple bug, or a sign of malware and if there’s some way to disable the undesired queries in macOS. (Note: Private Relay is off since I don’t use an iCloud account on macOS and the “limit tracking” feature is also off for the Ethernet connection.)
(Also concerning is that if this behavior is in iOS too, then it’s presumably not actually possible to block iCloud masking or encrypt all DNS requests on a mobile network via a configuration profile since iOS doesn’t seem to provide any other way to control mobile network DNS servers (i.e., I can’t blackhole the requests to localhost).)