
Cname cloaking, a disguise of third-party trackers - nextdns
https://medium.com/nextdns/cname-cloaking-the-dangerous-disguise-of-third-party-trackers-195205dc522a
======
jefftk
The easiest way for site-owners to delegate control has been to include third-
party javascript. With new browser restrictions, we're starting to see
companies switching to loading JS via CNAMEd subdomains, because that's nearly
as easy. The next step is probably reverse proxies, though, where the third-
party JS comes from the same server that gives you the rest of the site's JS.

(Disclosure: I work in ads; speaking only for myself)

~~~
earthboundkid
Or we could make all of that illegal and have an ad ecosystem that works for
publishers and consumers as it does in every field except for the web (print,
broadcast, podcasts, billboards—all work without JS and are great for
consumers). Web is the one weirdo market with tracking. Make that illegal and
it will be good like all the other markets.

~~~
pas
The GDPR does that. It doesn't matter if you have the data in your own DB, you
can't utilize it for purposes you haven't secured informed consent for.

~~~
earthboundkid
GDPR is a good first step.

~~~
takeda
California's version, CCPA, should take effect starting January.

------
cheald
Use a Pihole + your adblocker of choice - defense in depth. It's easy to set
up, brainless to keep updated, and helps to protect all devices on your
network, not just the things that can run uBlock. I've got mine running in a
Docker container, which upstreams to a stubby container, which gets DNS-over-
TLS, so I get adblocking _and_ DNS query encryption out to Cloudflare for the
whole network, and it's really not all that hard to set up. (Edit: Here's the
bash script I used. docker-compose would probably be better, but whatever.
[https://gist.github.com/cheald/23da384908404b0757eadda74124a...](https://gist.github.com/cheald/23da384908404b0757eadda74124a602))

If you're unwilling to do that, just set your DNS servers to the Adguard
servers ([https://adguard.com/en/adguard-
dns/overview.html](https://adguard.com/en/adguard-dns/overview.html)) and you
get most of the same benefit, though obviously without the control that the
Pihole offers you. On Android devices, you can go to Settings - > Wifi &
Internet - > Private DNS and set "Private DNS provider hostname" to
dns.adguard.com (or your own exposed Pihole server, if you're so inclined) and
get the same benefit when you're on LTE.

~~~
syshum
That will only work for so long, as more and more browsers are forcing DoH for
"privacy" on users, making them bypass traditional DNS in-favor of DNS over
HTTPS to a provider selected by the Browser removing user control

Mozilla for example is going to force everyone to use CloudFlare as a Resolver

~~~
snailmailman
You can change your DoH resolver, so you could setup a raspberry pi as a DoH
server theoretically, and still keep the benefits of a PiHole. Mozilla is
making CloudFlare the default but they aren't forcing it, you can use another
server.

~~~
freeone3000
You can change it on web browsers, for now, but not on IoT devices.

~~~
joombaga
I'm not aware of any IoT devices with non-configurable DoH.

~~~
judge2020
It's coming in the future, likely soon we'll see it in Google hardware since
they all auto-update.

------
zelly
I knew something like this would come up. I always wondered why ad/tracking
companies never proxied through the first-party domain (or in a more extreme
case, the first-party server itself) to skirt adblock.

Suppose you load example.com/article. Ad Agency serves ad/tracking assets from
example.com/article/Zqj7MOm.js. When you reload, it serves from
example.com/article/llc9h76.js. How do you block it? You can't. Getting this
to work in a pluggable fashion is an implementation detail (maybe some on-the-
fly statistical generation of URLs + passing nonces to and from Ad Agency as a
mitigation for spoofing by example.com). Another way to implement it is a
custom URL router that dynamically reverse proxies to Ad Agency on the
generated ad trojan horse URL. The only reason this hasn't happened yet is
because still very few people use adblock, esp. on mobile.

P.S. please don't do this.

~~~
brian-armstrong
As I understand it, ad companies and the people who sell their websites to ad
companies have some base level of distrust of one another, which has kept them
from integrating like this. Ad companies want to serve the code to be sure
that no click fraud is occurring, and people who run websites don't want to
completely hand over their domain. But it's easy to see them forging this
alliance if ad delivery depended on it.

~~~
pitay
This may be tremendously ignorant but...

What is to stop ad tech companies creating a cryptographically secured reverse
proxy device[1] that clients can install in their network between the web
server and requests from the internet?

The ad tech company only has to trust that their device is secure and the
company that sells their website doesn't have to give up control of their
domain or anything else.

They would have to isolate the ad tech device from the rest of the network and
only allow it to communicate to the web server inside the network and the ad
tech server outside their network. If something goes wrong with the device
then it is trivial for the web serving company to bypass it.

\-------

As is mentioned in the grandparent comment, this allows anything to be done to
the content being served from the website and not only domains cannot be
trusted, individual URLS cannot either. Ad blockers will have to rely on
examining the content directly even more than they already do. This would make
it much less scalable for the ad blockers to deal with, they have to identify
ad content individually, by their signatures or page structure in the best
case, or examining arbitrary code behaviour in a worse case. Ad blockers may
then have to deal with identifying ad content which changes as fast or faster
than new ads appear, which is a lot worse than the relatively few(and
relatively static) domains, URLS, bits of HTML and Javascript that are there
now. Ad blockers may lose eventually due to incomputability, but who knows.

\-------

[1] Using a TPM is one possibility

~~~
judge2020
This would have to be a reverse proxy on the AdTech's infrastructure itself to
make sure no rewriting is being done after-the-fact, as you can't trust your
AdTech customer (the person that owns example.com) to not run a reverse proxy
_in front of that_.

~~~
pitay
Thanks for making me realise the most obvious thing, that it doesn't stop
click fraud if it is on the ADTech customers network as they can connect to
the device and pretend to be any device on the internet.

------
gingerlime
Adguard is also starting to tackle this[0].

Found on [1]

(not affiliated with any of those in any way, I'm just a user of Adguard home)

[0] [https://adguard.com/en/blog/disguised-
trackers.html](https://adguard.com/en/blog/disguised-trackers.html) [1]
[https://www.reddit.com/r/pfBlockerNG/comments/e0bsto/defence...](https://www.reddit.com/r/pfBlockerNG/comments/e0bsto/defence_against_cname_cloaking_pfblockerng_or/)

~~~
TheKIngofBelAir
Add this[1] host list for first-party trackers for those who don't want to use
these dns solutions or/and they use a Chromium based browser.

[1]
[https://git.frogeye.fr/geoffrey/eulaurarien](https://git.frogeye.fr/geoffrey/eulaurarien)

With third-party trackers: [https://hostfiles.frogeye.fr/firstparty-trackers-
hosts.txt](https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt)

First-party trackers only: [https://hostfiles.frogeye.fr/firstparty-only-
trackers-hosts....](https://hostfiles.frogeye.fr/firstparty-only-trackers-
hosts.txt)

------
strenholme
The way to counter this is to know the IP a given CNAME resolves to, and to
block “rogue” (read: tracking) IPs.

As an open-source DNS implementer, I know this has already been done, since my
DNS server (MaraDNS’s Deadwood recursive resolver) has the ability to refuse
to resolve DNS names with bad IPs via ip_blacklist.

The reason I implemented this is to block NXDOMAIN redirects (when using an
ISP’s DNS server and mistyping a domain name, instead of getting “nothing
there”, it goes to an ad-filled “search” page provided by the ISP), but the
implementation scales and it should work for blocking a large number of rogue
CNAME redirects like this one.

I’m sure others have implemented something similar out there (I will let
someone who knows the pihole ad-blocking DNS server, not to mention NextDNS,
better than me tell us how they do this), and I’m sure Firefox, if they do not
do so already, will allow ad/privacy blockers to know the IP of a given name
to allow blocking at the browser level.

~~~
skunkpocalypse
> block “rogue” (read: tracking) IPs.

With IPv6 that's as impractical as blocking "rogue" FQDNs.

~~~
tambre
Why? Just block ranges.

~~~
strenholme
Exactly. If I were to update this code, for IPv4 blocking, I would allow it to
block /32 (single IP) and /24 networks. For IPv6 blocking, I would allow
blocking a single IPv6 address, a /64 range, and (for extreme offenders) a /48
range.

One way to do this is to have multiple hash tables: One for single IPv4
addresses, one for IPv4 /24 ranges, one for single IPv6 addresses, one for /64
IPv6 ranges, and one for /48 IPv6 ranges. Note that while the hashes have
(generally speaking) a “big O” of 1, we need to perform one additional
operation per range size. IPv4 /32 and /24 blocking requires two lookups, and
IPv6 /128, /64, and /48 blocking requires three lookups.

------
belorn
Online advertisement are constantly using the same exploits that malware and
can be seen as part of the progression ladder when walking from being zero-day
to universally patched.

A while back ago malware started to use a scheme similar to fast flux, but
rather than changing the IP address they used a chain of cnames to hide the
malware network. In order to combat this researchers developed detection tools
to find algorithmic generated domain names and flag them as suspicious at the
resolver layer. I would expect to see the same mitigation method to travel
into ad-blocking.

------
matheusmoreira
uBlock Origin issues:

[https://github.com/uBlockOrigin/uBlock-
issues/issues/780](https://github.com/uBlockOrigin/uBlock-issues/issues/780)

[https://github.com/NanoAdblocker/NanoCore/issues/296](https://github.com/NanoAdblocker/NanoCore/issues/296)

~~~
jwilk
Discussed on HN 3 days ago:

[https://news.ycombinator.com/item?id=21582698](https://news.ycombinator.com/item?id=21582698)

------
kerpele
I can’t believe Ars Technica would do this. Do they not realize who their
audience is?

~~~
homero
That also means most of their audience blocks ads. What are they to do?

~~~
alkonaut
The answer I keep returning to: if shady ads is what keeps your business
running, stop running your business. Switch off the lights and the servers and
go home.

~~~
acdha
That’s too simplistic a take: they aren’t running shady ads and unlike many
sites they allow you to you subscribe and not see ads at all. Unfortunately,
large chunks of the public — especially tech site visitors — have been
conditioned to think of content as free, and the adtech bubble hasn’t pooped
yet so we can’t reverse that trend.

~~~
alkonaut
What people are willing to pay for content _is_ I think almost zero.

If we get rid of these privacy invading ads and micropayments/subscriptions
don’t take off in a big way (I don’t think they will) then one or two things
must happen

1) advertising money remains even though ads are dumber (less narrowly
targeted, more fraud etc)

2) there is a lot less money to go around so there must simply be less
content.

I think the answer is somewhere in between. I don’t think it’s a pessimistic
view that maybe 75% of sites not only risks disappearing but perhaps should.
The abundance of “free” content is what makes people unwilling to pay for
quality.

~~~
acdha
I definitely think you’re right on the conclusion: a lot of content sites are
going to need to dramatically scale back their size or simply fold. It feels a
lot like when VCs pile money into an area and it takes longer for viable
business models to win out, only with a much longer run time since the
advertising market is so much larger.

------
kkm
In particular case of liberation.fr, anyone who has access to the value of
‘djazsession’ cookie can log in to the users’ account. This is one of the
cookies being sent to Eulerian.

Here is a demo video:

[https://twitter.com/konarkmodi/status/1198412297842184192?s=...](https://twitter.com/konarkmodi/status/1198412297842184192?s=21)

------
going_to_800
I worked in ad space 7 years ago. Companies that provide content need to get
paid for the content one way or another, either paying a fee or ads, nobody
can argue with this.

There needs to be an organization that imposes ad guidelines(like only
specific formats, not being intrusive, etc) for both websites and ad
companies. They should verify the ads/websites based on user reports and if
they find something, to kick the company out.

All companies that follow those guidelines should be whitelisted by ad
blockers, probably something implemented at browser level.

Otherwise is just a useless chase.

~~~
tsimionescu
There are other alternatives. Alternative monetization schemes, such as those
offered by Patreon or Twitch or Kickstarter can be found.

Also, ads can be placed teh same way they were in newspapers - the ad company
would submit ads to the content creator, who would manually chose which ads to
include, and where.

~~~
going_to_800
It's not that easy as you may think. Also, small companies won't benefit from
that, nobody will submit an ad to websites with lower traffic. Besides this,
there's the issue with the tracking server and so on.

~~~
tsimionescu
I didn't say it was easy. But perhaps it is important enough that it should
even be regulated.

------
9dl
Sooooo

I suppose we are going back to the roots

White lists in hosts file with ips and good sites

~~~
progval
You can also use uMatrix or NoScript to disable all JS/XHR (or even CSS and
images) from third-party domains by default; and whitelist those you need.

~~~
9dl
Hmm

How can I block cookies with uMatrix for sub domains like *.domain.com for any
site?

PS: I assume that just temporary solution. Because nextsstep is just hosting
some js from "analytics" on main domain and/or solutions like cloudflare for
e-commerce / google news / etc.

And for filtering that bs we need deep filtering and api inside JS VM

------
IAM2019
The article explains that trackers traditionally loaded some external JS which
then phoned home and tracked users via third-party cookies.

I would like to point out that it has never been the case for Google Analytics
and possibly other trackers. The developers of a website are supposed to
copy/paste the Google Analytics snippet directly into their own JS, such that
GA has access to first-party cookies. And then GA phones home some tracking
data leveraged by this first-party cookie.

Blocking third-party cookies never blocked this kind of tracking. You needed
to block the domains that the script requested via AJAX. But it is indeed made
difficult with CNAME Cloaking, because the domains requested are subdomains of
the current domain, and can be changed regularly as explained by the article.

There is no end-game solution against tracking. It will all come down to
tracking companies ordering websites to install some library directly in their
back-end and pass it user data as well as behavioral data captured from some
other library installed in the front-end. Tracking data will pass through
applicative pipes and it will be impossible to block reliably.

~~~
nugget
How does the centralized ad server track the user as they move from site A to
site B, since no cross-domain cookies can be used? Without resorting to
fingerprinting which could be circumvented by the client. Absent behavioral
profiles and persistent tracking, most ad formats are worth very little. Isn’t
limiting all communication to the first party domain a form of sandboxing?

------
air7
> It also only takes 2 minutes to change dg3fkn.website.com to
> 3j4vdl.website.com (Hell, you can probably automate this). We mentioned
> above how much work it takes to gather all subdomains being used as a front
> for CNAME Cloaking. Now imagine they change every week, every day, or every
> hour. It’s just impossible to keep track.

That's fear mongering. The ad company can't pester their clients to make
changes to the DNS on a regular basis. I'd say that anything beyond initial
setup would be unaccepted to most clients. And clients won't give control of
their DNS to ad company, so automation is also not really possible.

Also, because this setup is substantially more friction than a simple 3rd
party tracking "just copy-paste this code", I'd guess it will only be used by
high profile clients.

This all means that while annoying, it shouldn't be too hard to find and add
these subdomains to the ever-updating ad url blacklists.

~~~
depr
>The ad company can't pester their clients to make changes to the DNS on a
regular basis.

Many DNS providers have APIs.

>And clients won't give control of their DNS to ad company, so automation is
also not really possible.

Sure they will. Or they'll use another party that does it. They already add JS
from the ad provider that does god knows what to all their pages, and give
full control over their content to Cloudflare. So why wouldn't they give an ad
provider API access to their DNS?

------
yegle
Pihole has an "audit" feature that can be used here: [https://pi-
hole.net/2017/12/06/pi-hole-v3-2-introduces-long-...](https://pi-
hole.net/2017/12/06/pi-hole-v3-2-introduces-long-term-statistics-an-audit-log-
colours-and-more/)

------
air7
Something is missing here: HTTPS links and SSL. Either website.com hands over
its certificate to dnsdelegation.io (which is unlikely and definitely not a 2
min trust-less process) or dnsdelegation.io has the ability to generate any
certificate like a certificate authority which is really terrible (and also
unlikely).

~~~
hiciu
DV certificate (cheapest, most common one) does require only proof of control
over the domain.

So dnsdelegation.io can just request certificate for the domain you've
delegated via cname from any CA.

------
poitrus
More info on NextDNS solution to this problem here:
[https://medium.com/nextdns/nextdns-added-cname-uncloaking-
su...](https://medium.com/nextdns/nextdns-added-cname-uncloaking-support-
becomes-the-first-cross-platform-solution-to-the-problem-e3f437f84342)

------
finchisko
I don't get one thing. Isn't CNAME also bad for "them". I mean with CNAME,
they can serve adds, cookies ... from site subdomain, bypassing blockers. But
how will they track users on different sites, like user vising website1 and
then website2? Since their tracking cookies are now part of website1, they
won't be sent to website2.

I mean is there any replacement for them, not using cookies? Because cookies
seems to be the only global storage for user identification data. Since
tracking script was hosted on their domains (and included into websites with
script tag), cookies were shared across all site, that included that tracking
script. IMO when they switch to CNAME trick, they will loose this capability.

~~~
poitrus
With fingerprinting.

------
fwxwi
What's the difference between this and what Instart Logic has been doing for
years now? [https://github.com/gorhill/uBO-
Extra#purpose](https://github.com/gorhill/uBO-Extra#purpose)

~~~
hk__2
Wow it goes even further: [https://github.com/gorhill/uBO-Extra/wiki/Sites-on-
which-uBO...](https://github.com/gorhill/uBO-Extra/wiki/Sites-on-which-uBO-
Extra-is-useful)

> Instart Logic will detect when the developer console opens, and cleanup
> everything then to hide what it does. I had to trick IL's script into
> thinking the dev console was not open to take the pic above.

~~~
mmastrac
How does it do this?

~~~
Macha
Page resize events in one dimension by the size range commonly used by
devtools, measure reduction in JS perf are two ways that come to mind

------
buboard
Shouldn't neglect to discuss the proposed Signed HTTP Exchanges by google who
will make this kind of thing far worse. Not just for the tracking
implications, but how easy it will become for some countries to outright fake
the news.

------
stefan_
So block content, as always? That's not possible for NextDNS, which I guess is
their concern, but then DNS blocking was always going to be a very very blunt
instrument.

~~~
iforgotpassword
At home I'm using it in addition to ad blocking in the browser, for apps and
other things that might slip through.

Currently it's just dnsmasq with a huge blacklist, and I guess it doesn't
support checking the whole CNAME chain against that list, which would be
really cool.

~~~
muppetman
It doesn't need to have every cname in it. The cname resolves to the actual
"bad" domain, which should be in your list already. That's why DNS blocking
can still combat this method easily, while it's much harder at the browser
level. uBlock Origin for Firefox beta has a "run all non-local domains back
through and check for cname redirection" feature, which can also block the
cname trick, but it will increase DNS latency because it has to check each
external domain again for the "true" domain.

~~~
gorhill
> [uBO] will increase DNS latency because it has to check each external domain
> again for the "true" domain.

The browser API used by uBO returns the last CNAME in the chain. I consider
the DNS lookup itself to be an non-issue overhead-wise in uBO because:

\- The browser would need to do it anyways

\- DNS lookup results are cached at both the browser and uBO level

------
xyzal
Please correct me if I am wrong, but would not such a tracking be circumvented
by enabling first party isolation in the browser? As far as I know, Firefox
has such feature implemented: [https://www.ghacks.net/2017/11/22/how-to-
enable-first-party-...](https://www.ghacks.net/2017/11/22/how-to-enable-first-
party-isolation-in-firefox/)

~~~
vsto
I was also wondering about the that. Sadly, it is still not enabled by default
in the latest Firefox release (version 70).

Furthermore would the Firefox Multi-Account Containers
[https://addons.mozilla.org/en-US/firefox/addon/multi-
account...](https://addons.mozilla.org/en-US/firefox/addon/multi-account-
containers/) with container per site prevent such tracking (has to be done
manually ATM) ?

------
beefield
I wonder if it would be possible to make a whitelist blocker instead of just
blacklist? I mean, if a certain domain is in the whitelisted list, you show
only responses from whitelisted subdomains. If not, you fall back to
blacklist.

By possible I do not mean technically possible, but feasible in the resources
required maintaining the list as well as good enough user experience.

------
air7
How does this work with SSL certification? The 3rd party server needs to be in
possession of a certificate for eir63gd.mywebsite.com

~~~
tatersolid
Let’s Encrypt makes this trivial and automatic if foobar.example.com has been
CNAMEed to the tracking provider.

------
TACIXAT
I have done something similar as an experiment. I wanted mixpanel analytics on
a site for element interaction. I proxied mixpanel through a URL endpoint
(maybe it was a subdomain). I had it not load analytics if DNT was set. It was
a fun hack but more work than it was worth for my low traffic site.

------
cx42net
I don't get it, why ad-blockers can't request a DNSBL managed by them to know
if that CNAME is authorized or not? Granted, it requires a bit more network
request, but completely breaks the CNAME cloacking method.

------
bigkm
What if there were restrictions on these with regards to ttl, it would put the
burden back on the trackers, they wouldn't be able to swap and change them as
quick and very quickly run out of options.

------
tinus_hn
Cute, but now they can’t use their cookies to track you around the web because
on every site their page has a different domain name. So this is actually an
improvement.

------
woadwarrior01
I don’t want to name any companies here, but CNAME cloaking is also commonly
used in ad-tech for conversion tracking pixel urls.

------
sneak
At what point does adblocking need to start taking IP address reputation
and/or originating AS number into account?

~~~
dredmorbius
Now.

Seriously.

------
greatgib
We can use that to add the domains to 'spam' lists as they host a lot of
ads/spy subdomain.

------
Havoc
I'm back on the Noscript train & just white-listing stuff on the sites I
frequent

------
aberforth123
Ok, so how to we kill the ad industry? This is ridiculous.

------
wnevets
At some point why shouldn't the (US) government step in?

~~~
hombre_fatal
Then we'll just get more pointless legislation that led to the cookie banner
and ads/trackers will be trivially cloaked/proxied to the point where any
publisher has full deniability.

We'll look back at the good old days when ads were mostly just banner ads.

Idea: Start paying for content and support the sites that offer this option.
The entire concept of adblocking lives on borrowed time: hoping your content
creators are making enough money off the suckers that don't use adblockers.

It's hard for me to envision legislation that wouldn't just be a clusterfuck
as the government encroaches further onto our internet.

------
1996
Abusing cname is an old trick.

You used to have domain.com and declare ns1.domain.com pointing to your host
so it would show domain.com instead of host.com

------
z3t4
There are many banks to choose from. Put your money elsewhere. Then explain to
the bank why you did.

~~~
ve55
Every bank I've used has had a pretty absurd amount of trackers that I've
blocked, often 5-10+ third party javascript domains. I don't know of any that
don't have any, but I'm sure some small ones exist somewhere.

There doesn't appear to be a huge market for services that do little/no
tracking, as users are all unaware of the tracking that services do to begin
with, so they would not even notice the difference.

~~~
amluto
Contact the regulators, perhaps? To me, allowing untrustworthy third-party
scripts on a bank website sounds like a huge security risk.

~~~
ve55
As a US citizen I don't see much that can be done. Although I don't trust the
third-party scripts, the bank obviously does, given they're all large
analytics platforms.

------
smitty1e
At some point, having a cloud instance acceessed by VPN and proxing all
traffic through that could be good.

Until your proxy is hacked, I suppose.

Resistance is feudal.

