DNS-based Tracking Defies Your Browser Privacy Defenses

[upnorth]

Content source

https://www.theregister.com/2021/02/24/dns_cname_tracking/

Boffins based in Belgium have found that a DNS-based technique for bypassing defenses against online tracking has become increasingly common and represents a growing threat to both privacy and security.

In a research paper to be presented in July at the 21st Privacy Enhancing Technologies Symposium (PETS 2021), KU Leuven-affiliated researchers Yana Dimova, Gunes Acar, Lukasz Olejnik, Wouter Joosen, and Tom Van Goethem delve into increasing adoption of CNAME-based tracking, which abuse DNS records to erase the distinction between first-party and third-party contexts. "This tracking scheme takes advantage of a CNAME record on a subdomain such that it is same-site to the including web site," the paper explains. "As such, defenses that block third-party cookies are rendered ineffective."

What's CNAME of your game? This DNS-based tracking defies your browser privacy defenses

Study sees increasing adoption of cloaking to bypass cookie barriers

www.theregister.com

 

[Kongo]

What's CNAME of your game? This DNS-based tracking defies your browser privacy defenses

Study sees increasing adoption of cloaking to bypass cookie barriers

www.theregister.com

Looks like you're safe when using NextDNS or the latest version of UBlock Origin on Firefox.

CNAME Cloaking, the dangerous disguise of third-party trackers

An in-depth exploration of a new method used by tracking companies to disguise their third-party trackers as first-party trackers.

medium.com

NextDNS added CNAME Uncloaking support, becomes the first cross-platform solution to the problem

NextDNS is proud to announce all blocklists are now applied to each intermediate CNAMEs in addition to the queried domain name.

medium.com

 

[Nightwalker]

One of the reasons that I am using NextDNS.

 

[ForgottenSeer 78429]

Brave also support CNAME Uncloaking.

What’s Brave Done For My Privacy Lately? Episode #6: Fighting CNAME Trickery | Brave Browser

Brave browser gets CNAME-based adblocking support - gHacks Tech News

 

[TairikuOkami]

uBlock Origin 1.25 Now Blocks Cloaked First-Party Scripts, Firefox Only

uBlock Origin 1.2.5 has been released with a new feature that blocks first-party tracking scripts that use DNS CNAME records to load tracking scripts from a third-party domain and bypass filters.

www.bleepingcomputer.com

 

[Gandalf_The_Grey]

I wonder of this remark of Yuki2718 is still true?

About CNAME tracker: I really don't understand why it's so special to some people. Apparently they still believe subscribing a dedicated anti CNAME tracker list is mandatory to block them if a DNS-level blocker is not deployed on an other layer. The fact is EasyPrivacy alone, or the combination of AdGuard Tracking Protection and my list, blocks about 70% of CNAME tracker while DEFINITELY many other analytics and trackers have slipped whatever your lists through, as long as you visit many sites. You prefer to double-lock a window and keep the door open? CNAME tracker is NOT at all harder to block and filter authors know much more serious circumvention. Of note, Google provides Server-side Tagging as announced in early 2020. This utilizes A or AAAA record, which is very well expected at the time of the CNAME fuss1. It's weird those who made fuss about CNAME cloaking seem to be silent about this. All these remind me that many people keep NoCoin despite EasyPrivacy + uBlock filters - Resource abuse covers 99% of them, and that others keep Adblock Warning Removal with a completely wrong assumption it has something to do with anti-adblock wall. Don't be fooled by misinformation on the Internet.

Quote from the adguard section on this page:

GitHub - Yuki2718/adblock: Personal filters and rules for AdGuard/uBlock Origin

Personal filters and rules for AdGuard/uBlock Origin - Yuki2718/adblock

github.com

 

[Jan Willy]

One of the reasons that I am using NextDNS.

The NextDNS blocklist in question, is partially integrated in the OISD filterlist. Quoted from oisd | included lists:
https://raw.githubusercontent.com/nextdns/cname-cloaking-blocklist/master/domains
Removed 3 dead domains, and 4 false positives / other domains. Used: 14 domains.
Name: NextDNS CNAME Cloaking Blocklist
Description: A list of domains used by tracking companies as CNAME destination when disguising third-party trackers as first-party trackers.

 

[ForgottenSeer 85179]

Interesting technical post from Daniel Micay:

By the way, synthetic records implementing an equivalent to CNAME implemented as A/AAAA records is a widespread performance optimization offered by many providers. So many resources going into trying to make enumerating badness work in a reactive way.

It's a nice optimization and it would be nice to have it available from more providers. It's sad that it will probably end up being a standard DNS provider feature because their customers will want it to bypass content filtering rather than because it speeds things up for users.

 

[ForgottenSeer 85179]

Another interesting post:

Once ad-blockers start blocking CNAME cloaking, website owners can simply provide a reverse proxy to third-party trackers. (e.g. Google Analytics Proxy using Nginx to bypass Adblock and other blockers)

This applies to the blocking of (third-party) domains in general.
Websites can use third parties on the server side to receive or send data. This cannot be blocked - unless you block the site to be visited yourself.

 

[blackice]

Another interesting post:


This applies to the blocking of (third-party) domains in general.
Websites can use third parties on the server side to receive or send data. This cannot be blocked - unless you block the site to be visited yourself.

Reinforcing my belief that the Internet is a public place. Definitely not private, it just has some quiet back alleys.