loading...
DnsAdBlock

CNAME cloaking or how are we being tracked even with ad-blockers installed

ciokan profile image Romeo Mihalcea ・2 min read

For many years we relied on regular ad blockers to clean our screen from ads, trackers and other junk but there's a way that these websites use to bypass our efforts and it works very well.

Regular ad blockers intercept your browser's requests and analyze each one to see if there are matching rules against it. The flaw is in this technique because the extension only has access to the first party (the requested url) without being able to monitor what is taking place once a request does not match any of its rules - at the DNS level for example.

In this post I'm going to explain how one can mask/cloak a tracking domain behind some DNS trickery, bypassing browser based ad-blockers. It takes only a few minutes to buy a new domain and setup a CNAME alias to achieve this masking technique so it is very easy.

A CNAME is a domain that points to another domain, an alias. You can think of it as a permanent redirect but executed at the DNS level. Many tools rely on CNAMEs to serve content and I'm going to pick Netlify as an example here. Our blog is hosted on Netlify. Each deployed website is assigned a unique subdomain in the form of unique-subdomain.netlify.com. In our case it is festive-nobel-876c06.netlify.com and you can try it in your browser to see it works.

If you want to use your own domain (of course you are) for this address (blog.dnsadblock.com) you need to point it to festive-nobel-876c06.netlify.com using a CNAME.

Presuming that festive-nobel-876c06.netlify.com is serving some tracking scripts and it is being blocked by ad blocking extensions I can simply alias a new domain to it and import the script using it:

<script src="https://blog.dnsadblock.com/itrackyou.js"></script>

Since festive-nobel-876c06.netlify.com appears only after the request was allowed (when the DNS is being resolved) it will pass without issues:

$: dig blog.dnsadblock.com

;; ANSWER SECTION:
blog.dnsadblock.com.    103 IN  CNAME   festive-nobel-876c06.netlify.com.
festive-nobel-876c06.netlify.com. 20 IN A   157.230.120.63

So how can we combat these techniques? Are ad-blockers dead? Not really. I know they are trying hard to kill or limit ad-blockers but they are still effective. The solution is to combine multiple tools. Our ad blocking DNS servers are monitoring and testing rules against CNAME aliases as well so this technique won't fly.

If you are curious to see just how much tracking takes place on a regular machine have a look at this screenshot. This is my computer and I'm using dnsadblock only on it. This screenshot only reflects my activity and you can also see periods of inactivity when I'm testing other DNS servers so the numbers could be higher.

dnsadblock blocked requests

Discussion

pic
Editor guide