Web trackers Increasingly Switching to Invasive CNAME Cloaking Technique

Online advertising technology companies are embracing new techniques to fool web browsers into thinking they are serving first-party, rather than third-party cookies, circumventing the protections offered by browsers that are steadily clamping down on third-party tracking. Posing a threat to web security and privacy.

Dubbed  ‘CNAME Cloaking  ‘  – represents a twist in the ongoing conflict between online advertising and analytics firms against browser vendors and ad-blocking software firms.

CNAME record in the Domain Name System (DNS) maps one domain name to another. The approach allows multiple services such as a web server and an FTP running on different ports, to be run from one IP address.

“This tracking scheme takes advantage of a CNAME record on a subdomain such that it is same-site to the including website,” the researchers said in the paper. “As such, defenses that block third-party cookies are rendered ineffective.”

Advertising firms are asking their clients to delegate a subdomain for tracking and data collection and linking it to an external server using the CNAME DNS record.

The website and the external tracking site appear to originate from the same domain allowing cookies on the tracking site to appear as if they were the original domain.

In this way, CNAME Cloaking can be used to disguise a third-party tracker as a first-party cookie.

Cross-domain tracking

Online marketing and web analytics firms including Eulerian, AT Internet (formerly XTi), Keyade, Adobe Marketing Cloud (formerly Omniture), Criteo, and Commanders Act, are actively using CNAME Cloaking, in at least some cases quite openly.

For example, Adobe has an explainer on “Data Collection CNAMEs and Cross-Domain Tracking”. Eulerian also has its own spin on delegated data collection.

The approach has become fashionable since browser makers such as Mozilla bundled tracking protection with their software that blocks third-party cookies and crypto-mining code by default.

The party of the first part…

In a technical blog post, Romain Cointepas, co-founder of NextDNS, offers an email from Criteo asking a website to make a quick change to “adapt to the evolution of browsers” as evidence of how the tracking technology is being promoted by ad tech firms.

According to Cointepas, sites disguising third-party trackers as first-party trackers using this method include foxnews.com, walmart.com, bbc.co.uk, go.com, webmd.com, and dozens of others.

Paul Vixie, a US computer scientist who played an integral role in developing DNS technology, responded on Twitter: “Will *anything* that can be abused *ever* not be?”

Cookies Leak Sensitive Information to Trackers

The researchers, in their study, found this technique to be used on 9.97% of the top 10,000 websites, in addition to uncovering 14 providers of such tracking “services” on 10,484 websites.

What’s more, the study cites a “targeted treatment of Safari Apple’s web browser ” wherein ad tech firm Criteo switched specifically to CNAME cloaking to bypass privacy protections in the browser.

Image credit: The Hacker News

Mitigating CNAME Cloaking

While Firefox doesn’t ban CNAME cloaking out of the box, users can download an add-on like uBlock Origin to block first-party trackers. Incidentally, the company yesterday began rolling out Firefox 86 with Total Cookie Protection which prevents cross-site tracking by “confin[ing] all cookies from each website in a separate cookie jar.”

On the other hand, Apple’s iOS 14 and macOS Big Sur come with additional safeguards that build upon its ITP feature to shield third-party CNAME cloaking, although it doesn’t offer a means to unmask the tracker domain and block it right at the outset.

Ad blockers such as AdBlock, Adblock Plus, and uBlock Origin are blindsided by the CNAME Cloaking tactic because browser extensions are not allowed to access the DNS layer of web requests, so they can’t see the CNAMEs.

“When each website loads third-party trackers by calling something like a3ksbl.website.com, privacy-protection tools now have to figure out which subdomain is a front for CNAME Cloaking, for tens of thousands of websites,” Cointepas argues. “That’s a LOT of work.”

“Tools need to include as many rules as there are websites using this CNAME Cloaking method,” he adds.

Remediation is further complicated because “tools are already reaching the maximum number of rules allowed on each platform (50,000 for Safari, and 30,000 in the soon-to-be-released Google Chrome version with Manifest V3)”, according to Cointepas.

Seemingly in spite of these technical obstacles, uBlock Origin developer Raymond Hill released an update to the ad-blocking software that takes advantage of a Firefox DNS resolution API in order to detect and black CNAME shenanigans.

“The next step is for me to pick a cogent way for filter list maintainers to be able to tell uBO to uncloak specific hostnames, as doing this by default for all hostnames is not a good idea.”

800 thoughts on “Web trackers Increasingly Switching to Invasive CNAME Cloaking Technique”

  1. I may need your help. I’ve been doing research on gate io recently, and I’ve tried a lot of different things. Later, I read your article, and I think your way of writing has given me some innovative ideas, thank you very much.

  2. I may need your help. I tried many ways but couldn’t solve it, but after reading your article, I think you have a way to help me. I’m looking forward for your reply. Thanks.

  3. Hello just wanted to give you a quick heads up.
    The words in your article seem to be running off the screen in Chrome.

    I’m not sure if this is a format issue or something to do with browser compatibility
    but I figured I’d post to let you know. The style and design look great though!
    Hope you get the issue solved soon. Cheers

  4. I have learn several good stuff here. Definitely value bookmarking for revisiting.
    I surprise how a lot attempt you put to create this kind of fantastic informative