back to article AdGuard names 6,000+ web trackers that use CNAME chicanery: Feel free to feed them into your browser's filter

AdGuard on Thursday published a list of more than 6,000 CNAME-based trackers so they can be incorporated into content-blocking filters. CNAME tracking is a way to configure DNS records to erase the distinction between code and assets from a publisher's (first-party) domain and tracking scripts on that site that call a server …

  1. Throatwarbler Mangrove Silver badge
    Stop

    Oh well, that's all right then

    As long as it's just small, unknown vendors like *checks notes* Oracle and Adobe, we should be fine.

    1. IGotOut Silver badge

      Re: Oh well, that's all right then

      Adobe. The one's that also gave us the flash super cookies.

  2. Anonymous Coward
    Anonymous Coward

    someone correct me but

    If a webpage has a link to https://deviouscname.firstparty.tld and that is actually a CNAME for adserver.devious.tld, won't my system make 2 dns reqeusts: the first for deviouscname.firstparty.tld which returns adserver.devious.tld, and a 2nd that resolves adserver.devious.tld to 8.8.9.9, which will be blocked because of 1) devious.tld or 8.8.0.0/16?

    1. Dan 55 Silver badge

      Re: someone correct me but

      Your system will make two requests, but unless your browser is Firefox your adblocker won't know and it'll still look like deviouscname.firstparty.tld.

      1. Ben Tasker Silver badge

        Re: someone correct me but

        > Your system will make two requests

        Not it won't. The system makes on, the upstream recursor (Google, your ISP, Cloudflare, whoever you're using) is the one that will make multiple requests.

        1. Rich 2 Silver badge

          Re: someone correct me but

          So a more robust answer to this is to run your own DNS?

      2. Wayland Bronze badge

        Re: someone correct me but

        Perhaps I don't appreciate how difficult this is for a web browser but if I ping a CNAME address the real address gets shown. TCP/IP is designed to carry on as if a CNAME and A record are the same thing but this does not seem to be a secret.

        1. Ben Tasker Silver badge

          Re: someone correct me but

          > Perhaps I don't appreciate how difficult this is for a web browser but if I ping a CNAME address the real address gets shown.

          You mean if you have

          foo.bar IN CNAME adtech.foo

          adtech.foo IN A 1.2.3.4

          When you do ping foo.bar you'll get

          64 bytes from adtech.foo (1.2.3.4)

          ?

          That's reliant on there being a valid PTR record for 1.2.3.4 naming it adtech.foo. That's not a given, and checking the PTR for every IP you connect to gets quite expensive (but would sometimes yield results).

          1. Alan Brown Silver badge

            Re: someone correct me but

            " checking the PTR for every IP you connect to gets quite expensive"

            less expensive than a single http GET transaction

            1. Ben Tasker Silver badge

              Re: someone correct me but

              True, but it's still additional latency per-FQDN, and the benefit from it is fairly limited, as ad companies just won't bother adding reverse records for their IPs, where they even own their ads.

              A stonking number of ad/tracker services uses AWS/Azure/GCP too, so the PTR already won't yield much useful information in terms of identifying that it's a tracker service.

    2. Ben Tasker Silver badge

      Re: someone correct me but

      > won't my system make 2 dns reqeusts: the first for deviouscname.firstparty.tld which returns adserver.devious.tld, and a 2nd that resolves adserver.devious.tld to 8.8.9.9, which will be blocked because of 1) devious.tld or 8.8.0.0/16?

      Assuming you've an even semi-standard setup on your OS, no.

      - Your OS will send a query to your configured recursor (lets say google, 8.8.8.8) for deviouscname.firstparty.tld

      - Google will go and find the authoritatives for firstparty.tld and query deviouscname

      - The authoritatives will reply with CNAME adserver.devious.tld

      - Google will then go find the authoritatives for devious.tld and query adserver

      - Those authoritatives will return a response (lets say 1 A record)

      - Google will then reply to you with the two records

      - Your browser will connect out to the IP in the A record

      The response you get will be something like

      deviouscname.firstparty.tld IN CNAME adserver.devious.ltd

      adserver.devious.ltd IN A 8.8.9.9

      Only one DNS query ever leaves your system - for deviouscname.firstparty.tld - it's the recursor that follows the CNAME (hence recursor).

      Of course, you *might* be running a recursor on your own machine, which changes things, but most users aren't, or are but have configured forwarding, so the query still goes out to another recursor which does all the work (doesn't stop their local recursor inspecting the response and blocking, of course).

      > and a 2nd that resolves adserver.devious.tld to 8.8.9.9, which will be blocked because of 1) devious.tld or 8.8.0.0/16?

      As above no, but this is how the adblocker extensions that support CNAME blocking achieve this. They resolve deviouscname.firstparty.tld and inspect the response. When it sees the CNAME, it checks whether the target is in the block list.

      Even at the DNS blocking level, being able to inspect CNAME targets is relatively new.

      In Unbound it used to be that if you had

      local-data: "adserver.devious.ltd A 127.0.0.1"

      Then you'd get inconsistent looking behaviour depending on whether you were directly querying that name, or it was a CNAME target (

      curl http://adserver.devious.ltd # Connects to loopback

      curl http://cnamedtoadserver.foo.ltd # Resolves correctly and connects to adserver

      Pihole itself also only relatively recently got the ability to block CNAME targets.

      1. Anonymous Coward
        Anonymous Coward

        Re: someone correct me but

        Thanks, all.

        I already run my own internal, redundant, hidden-master, dns infrastructure, so I will probably just continue to add domains to my internal authority list...

  3. Luke Worm
    Happy

    Use NextDNS

  4. Anonymous Coward
    Anonymous Coward

    PI Hole

    Seriously, the solution to this isn't a browser plugin, it's to control your DNS. It is also going to protect you from other horrors. And if you blackhole the DNS requests it will also wipe out some of the hit tracking data your ISP has been selling them thanks to Idjit Pai. Filtering DNS servers are the new firewall.

    And don't worry about "what will they think of next", they have already moved on to A records instead of CNAMES (which you can also block by IP btw).

    1. A.P. Veening Silver badge

      Re: PI Hole

      I recommend adding Unbound to your PiHole so you don't use your ISP's DNS.

      1. big_D Silver badge

        Re: PI Hole

        I never used my IPS's DNS. The first thing I did was use a trusted DNSSEC provider using DNS over TLS.

      2. tip pc Silver badge

        Re: PI Hole

        I'm resolving pinhole through a dns over https docker image.

        DNS over tcp/udp 53 is blocked from my home for all.

        1. big_D Silver badge

          Re: PI Hole

          I'm using PiHole DNS over TLS with DNSSEC and all other devices blocked from using DNS, DNS over TLS and blocking common DNS over HTTPS destinations.

  5. JDPower Bronze badge

    Is this where I get to be smug about using Adguard DNS on all my devices?

    (Don't go ruining my false sense of security with logic you lot lol)

  6. Anonymous Coward
    Anonymous Coward

    JavaScript

    I disable JavaScript from running on IOS Safari and I hardly ever see any ads unless it is a static image.

    And if a webpage refuses to load without JavaScript I simply move on.

    I know enough about the adtech industry to treat script-based ads as exploits just waiting to happen.

    1. vtcodger Silver badge

      Re: JavaScript

      And if a webpage refuses to load without JavaScript I simply move on.

      Well, yeah. But how many sites actually work without Javascript nowadays? Ironically, Google search seems to be one of the few things that still runs in old fast browsers like links or dillo. It gives you links (sort of -- it actually hijacks them so it can file away information on what you clicked on). But they rarely work well. Blocking JS would seem to seriously decrease the utility of the internet for most users.

      1. tiggity Silver badge

        Re: JavaScript

        It does decrease usability, but I am ok with that.

    2. Alan Brown Silver badge

      Re: JavaScript

      What amazes me is that it's apparently NOT a GDPR breach to have foo.tech cause your browser to run privacy-busting javascript from facebook.net and google.com

      So Sayeth the ICO

  7. Charles Smith

    Raspberry Pi anyone?

    Checking my PiHole lists.

  8. PTW
    Mushroom

    Other lists are available

    I've been using this 1st party list [on|in] my PiHole https://hostfiles.frogeye.fr/

  9. big_D Silver badge

    50,000?

    Heck, I already block more than 2.5 million sites at home, with my PiHole.

    Those are known tracking sites, malware sites, pr0n and "all of Facebook" (well over 2,500 domains on its own).

  10. Unbelievable!
    WTF?

    Go to extreme lengths to protect privacy, surely some law should step in?

    the lengths that folks have to go to to just protect themselves from 3rd parties is insane. Wheres the law enforcers? What is required to get them to act?

    1. ThatOne Silver badge

      Re: Go to extreme lengths to protect privacy, surely some law should step in?

      > What is required to get them to act?

      Pay more than the ad-slingers?

    2. Stoneshop Silver badge
      Holmes

      Wheres [sic] the law enforcers?

      Yours, or those of the jurisdiction the adslingers are in?

  11. Martin-R

    PiHole is great but

    I've now got so used to it that I almost forget it's there. So it took me a while to clock why scripts I was testing this morning for a product review weren't working :-( (and yes that will get the product marked down)

    1. A.P. Veening Silver badge

      Re: PiHole is great but

      Make sure you document the reason for the mark down well.

    2. TimMaher Silver badge
      Pint

      Re: PiHole is great but

      Absolutely. Especially when you are away from home and your phone gets trashed with crud when you are just trying to look something up.

      1. Ribfeast

        Re: PiHole is great but

        Yeah I have a VPN link on my phone to home, so I can block ads using my home PiHole server while out and about.

  12. jvf

    Show me something different

    Ad-slingers are idiots. If I’m going to be “served” ads, I don’t want to see different versions of the same crap over and over. I want to see something new each time. Sheesh!

  13. sreynolds

    CNAME, why is this still a thing?

    Doesn't think come from the bad old days where you accepted plaint text email on port 25 and assumed that sender would never lie about their address? Is there really a use for them given that you can update A and AAAA records automagially? And while I am whining why not take the axe to the PTR records. Nobody cares what IP they connect to, as machines and address no longer have any real meaning due to network mangling and manipulation.

    1. sreynolds

      Re: CNAME, why is this still a thing?

      Really disappointing that nobody took the bait. Where are the CNAME apologists that say I NEED to call something by something else in my domains, usually to some other thirdparty over which I have no control. And nobody going to say that if I cannot do a reverse look up on the SSH server I connected to I wont really know who it is, because since v2 of the protocol, I still don't trust the key it presents me?

  14. HippyChippy

    A novice writes...

    So as a novice Firefox with uBlockOrigin user I wondered if I could add a CNAME filter list, clicked on the article links, and came across this dublious looking address on a place called GitHub. +++https://bananamovies.net/gangbang-stars-vol-3/ (nsfw) - popup+++ .

    Blimey! I won't be clicking on that thanks, but is this the same scary place I should be looking for a legit' filter list please?

    Does uBlock work automatically or do I need to add a CNAME filter myself?

    Many thanks.

  15. JavaJester

    If you run a website, don't use a CNAME for an advertiser

    This is a security shit show waiting to happen. If your CNAMEd advertiser has the same FQDN as your website, it is treated as a trusted part of the web site. Think a minute and let the full implications of that sink in. Its scripts can change the JavaScript runtime by binding to events or changing the prototypes of key objects. It can manipulate any data, exfiltrate any data (remember, same FQDN so those requests automatically get allowed). Intercept any browser tokens and masquerade as any logged in user. The attacks would be indistinguishable because they could be launched from the same browser the victim user is using.

    Even if you fully trust your advertiser, still do not do this. If your advertiser gets compromised, the miscreants potentially own every website that has aliased their CDN records to them. This completely breaks and renders useless all browser defenses against cross site abuse of JavaScript and http requests.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021