back to article What's CNAME of your game? This DNS-based tracking defies your browser privacy defenses

Boffins based in Belgium have found that a DNS-based technique for bypassing defenses against online tracking has become increasingly common and represents a growing threat to both privacy and security. In a research paper to be presented in July at the 21st Privacy Enhancing Technologies Symposium (PETS 2021), KU Leuven- …

  1. Potemkine! Silver badge

    Name and shame

    What companies are doing this?

    PS: FF rulz!

    1. Graham Cobb Silver badge

      Re: Name and shame

      Technical steps to counter this are very welcome, of course, but we need national regulators to hit all the (adtech) companies providing this and all the (website owner) companies using this with massive fines.

      In particular, setting up such a CNAME within your domain would be immediate evidence of your intent to bypass user decisions on control of cookies and should be all the evidence needed for a large fine.

      In fact, even before regulators move on this, it would be good if a campaign group announced that if any of the top 10,000 websites are found to still be using this technique in 30 days time, they will be named and shamed, with maximum possible publicity in major newspapers in the countries in which they operate.

      Use only legitimate cookies and honour user privacy settings or be named and shamed.

      1. Microchip

        Re: Name and shame

        CNAMEs have legitimate uses too - e.g. shop.domain.com pointing at a hosted shopping system, who's underlying DNS may change on their backend. Just having a CNAME isn't necessarily evidence that you're doing anything untoward.

        CNAMEs that point to tracking domains, on the other hand, should indeed be nuked from orbit. I suspect the answer is in-browser resolving/checking and then referencing a blocklist, to avoid throwing babies out with the bathwater.

        1. Graham Cobb Silver badge

          Re: Name and shame

          Of course. However, setting up a CNAME which is used for tracking should be all the evidence the authorities need to hit with a 10% of turnover fine.

        2. Ben Tasker

          Re: Name and shame

          > I suspect the answer is in-browser resolving/checking and then referencing a blocklist, to avoid throwing babies out with the bathwater.

          AIUI that's part of what the Manifest V3 upset was about. Ublock already looks for CNAMEs like this in order to block them, but will/would have lost that ability as a result of Manifest V3 being implemented in Chrom(e|ium).

          1. JassMan

            Re: Name and shame

            Not all of these leaks exposed sensitive data but some did. Out of 103 websites with login functionality tested, the researchers found 13 that leaked sensitive info, including the user's full name, location, email address, and authentication cookie.

            Implies that it is possible for trackers (much as think all tracking should be illegal) to write non-leaking scripts. Since users could never have consented to have private info leaked even they had agreed to the site using the data themselves, any script which leaks should be an instant fine of 10% ofglobal turnover. No ifs, no buts because the can be no defense.

    2. Grendel
      Mushroom

      Re: Name and shame

      Most definitely name and shame (as a minimum) and should the game be raised to 'prosecute' for violations of the GDPR and/or Anti-Trust as this is a deliberate 'deception' to ensure that ad-trackers continue to work?

      Perhaps we also need a new 'first party' (same origin - exactly the same URL), 'second party' (sub-URL of the first party domain) and 'third party' (different domain) approach and rulesets in our defenses?

      G

    3. Danny 14

      Re: Name and shame

      Indeed. Name, shame, block at firewall.

  2. alain williams Silver badge

    GDPR violation

    This is tracking and so the user should be asked if they want this to happen, if they agree that their data is taken out of the EU.

    Much worse is what google analytics does - tracks users from site to site, how forms are filled in, etc. I have never been asked if I want this to happen.

    Non-agreed use should be banned.

    1. Anonymous Coward
      Anonymous Coward

      Re: GDPR violation

      problem is that you probably have 'agreed' when you dismissed that obligatory t&c popup.

      go to tvlicensing.co.uk and check their cookie policy (a 599kb PDF if you download it) for somewhere that you would think shouldn't need much of a policy (no advertising) but actually reveals a lot about how much other sites must be hiding behind their simple 1 paragraph 'accept or bugger off' versions

      1. Mage Silver badge

        Re: 'accept or bugger off' versions

        That is illegal on two levels.

        1) Obtuse T&C

        2) Blocking access if not logging in.

        Really cookies are only absolutely needed if you are logging in. On all other sites I also block 1st person cookies. Only a year later I discovered some sites use a cookie to count site views.

  3. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: Smug bastard doesn't understand

      They're tracking you when you do DNS lookups. You don't mention handling that yourself.

      I think you saw the headline and rushed to explain how clever you are.

      Read the article.

      1. vtcodger Silver badge

        Re: Smug bastard doesn't understand

        They're tracking you when you do DNS lookups. You don't mention handling that yourself.

        Smug Bastard probably has the URIs of all 17 web sites that still work without Javascript pasted into his huge hosts file. If it's found in the hosts file, there's no DNS lookup , right?

    2. Valeyard

      Re: Smug bastard is smug.

      Then I've got a hosts file so large it probably slows my connection down but you can be damn sure your hostile site is already on it.

      Indeed that was what we all did in 2013, but for nowadays have you not tried out pihole?

      1. Recluse

        Re: Smug bastard is smug.

        Or indeed pfblockerNG on pfsense (which IMHO. is a pihole on steroids)

        See here (article is a couple of years old)

        https://linuxincluded.com/block-ads-malvertising-on-pfsense-using-pfblockerng-dnsbl/

    3. Anonymous Coward
      Anonymous Coward

      Re: Smug bastard is smug.

      > 1st party cookies are set to be prompted if to be set & I tend to say no. 3rd party ones never get set at all.

      You do realise that the purpose of CNAMEing a subdomain is to turn third party requests into first party requests, right?

      > Then I've got a hosts file so large

      Do you also realise that a hosts file is not a firewall?

      > Oh and I don't run javascript

      Neither is it needed by this technique.

      In fact, all it takes to track you using DNS is for your computer to make a DNS request which, e.g., if you haven't disabled prefetch in your browser, may be made before you even access the relevant page.

    4. Anonymous Coward
      Anonymous Coward

      Re: Smug bastard is smug.

      @overly_smug_git

      notice how your HOSTS file contains multiple variants of sites like taboola.com when you should simply have had to use '0.0.0.0 taboola.com' to block everything... welcome to the world of CNAME

    5. Anonymous Coward
      Anonymous Coward

      Re: Smug bastard is smug.

      Eh, not to rain on your parade of Smugness, but generally a plasma torch is used for cutting, not joining.

    6. ckm5

      Re: Smug bastard is smug.

      A lot of sites no longer rely on cookies as they are unreliable. There are tons of other ways of tracking browsers whether you allow it or not:

      - Browser Fingerprinting

      - IndexDB

      - Local Storage

      - DNS Queries

      Some of these methods may or may not work depending on a wide variety of factors, not all of which are under your control....

  4. Hubert Cumberdale Silver badge

    NoScript FTW.

    1. Pascal Monett Silver badge
      Thumb Up

      Indeed : "it is possible to include an arbitrary JavaScript payload that will be executed "

      No, it won't be.

      1. Hubert Cumberdale Silver badge

        Indeed indeed. So I wonder why the downvotes. Maybe people just don't like NoScript.

        1. Hubert Cumberdale Silver badge

          Wow. Helpful: downvote again but don't explain *slow clap*

          1. doublelayer Silver badge

            I didn't vote either way, and this is supposition, but I'm wondering if the downvotes are because people sometimes treat NoScript like a perfect firewall. It's not. It can help, but if people think they can just install it and everything will be fine, they're wrong several times. It helps in the case of running JS from a site like this, but most of the time, a site will just pull in a script from the source in the HTML. So in the case of this attack, it's not all that likely to produce different results on a site using this and a site using classic attacks. Therefore, though it's useful, it isn't really a good solution for the problem as described. Maybe some are expressing that view in their votes.

            1. Hubert Cumberdale Silver badge
              Black Helicopters

              I didn't downvote you either – thank you for providing an actual suggestion; on the whole, I agree with you. For me, NoScript is just part of a multi-pronged strategy that includes UBlock Origin, Privacy Badger, DNS over HTTPS, enforcing HTTPS and where possible avoiding sites that are still HTTPS refuseniks, DDG Privacy Essentials, blocking all third-party cookies, a regularly updated ~2MB hosts file that blocks a range of types of site, and, most importantly, the application of more than a little common sense. Of course, this all makes the web look much more broken (which, as an aside, this article demonstrates it already is), and I don't enjoy having to wear a suit of armour just to go and buy a pint of milk, but I don't really feel safe doing anything else. And stuff like this tells me I'm still not completely safe anyway, but it's a start.

              None of which gives anyone an excuse to passively downvote a request for clarification of previous downvoting without explaining why. These forums are supposed to be a place for discussion, and just repeatedly shouting "BOOOO!" doesn't add a great deal to it. By all means, shout boo and then explain why (assuming someone else hasn't already, in which case you can also shout "Hear, hear!" at them), but otherwise it makes it look like either you (a) haven't got a plausible argument against the point, or (b) are simply lazy. Of course, if you actually are a bored chimp in a safari park, feel free to continue throwing faeces.

  5. cipnt

    Interesting approach

    You have to admire the simplicity of the technical solution they came up with – CNAME.

    I love a good hack like this

    1. Warm Braw

      Re: Interesting approach

      You have to admire the simplicity of the technical solution

      Unfortunately, the simplicity of the solution simply reveals how broken the underlying security model is.

      In retrospect, it was a terrible idea to allow individual web pages to interact with any other server than the one from which the page was retrieved. Even that wouldn't stop that server from passing information on to a third party, but at least the responsibility would be clear.

  6. Anonymous Coward
    Anonymous Coward

    News?

    I'm not really sure this is news, a number of large UK based companies have been doing it for over 10 years.

    I set up and provided them with the DNS settings for my ex-employers tag collection servers.

  7. Mage Silver badge
    Devil

    Grr!

    ’tis evil.

    I'd be surprised if Facebook & friends aren't doing this. Google doesn't need to due to the stupidity of websites using a plethora of Google resources. Why do Theme designers and websites generally think it's cool to have similar fonts to standard ones, but Google Hosted, Google Analytics instead of their own, Google hosted javascript instead of their own. Google APIs when there are no Google services like Maps on the page. I can't see how the use of any of that is legal in the EU and the quite a few other countries with similar laws.

    Parasites.

    1. Kubla Cant
      Black Helicopters

      Re: Grr!

      In the past few years I've worked on a web application for members of the public applying for bank accounts and another used by financial advisers to apply for pensions for people. Needless to say, neither application displayed ads, and both processed lots of confidential information.

      But there was the Google Analytics link on the landing page.

      1. needmorehare

        My 70 year old father

        Was disgusted when he found Google Analytics in use for booking his COVID appointment. Shouldn’t we start by making this kind of stuff illegal on public sector websites first?

  8. Anonymous Coward
    Anonymous Coward

    DNS is broken

    CNAMEs should only be able to point to another subdomain within the same zone.

    i.e. myname.mydomain.com can point to somethingelse.mydomain.com but should not be able to point to something.otherdomain.com

    Yes that'll break some things. Omelette, eggs, etc.

    1. Anonymous Coward
      Anonymous Coward

      Re: DNS is broken

      Honestly, if CNAMEs become restricted, they'll just end up using regular A/AAAA records.

      Using a CNAME is surely more convenient, but if you can set one, a regular A/AAAA can be set to some tracker IP addresses just as well, and will work fine. And then, what?

      The solution is not technological here, it has to be law+enforcement with meaningful fines.

      1. Ben Tasker

        Re: DNS is broken

        > Honestly, if CNAMEs become restricted, they'll just end up using regular A/AAAA records.

        Or, indeed, a DNAME (giving the same flexibility as a CNAME, just with a less commonly known feature).

        When that gets blocked, no drama, just add some NS records and delegate a zone out to $advertiser's nameservers

        As you say, the solution isn't technical one - limiting CNAMEs to acting like an alias breaks a lot, and fixes precisely nothing. What's needed is for the underlying business model to stop being viable, because of meaningful enforcement (we already have the laws)

        1. dcsprior

          Re: DNS is broken

          >> Honestly, if CNAMEs become restricted, they'll just end up using regular A/AAAA records.

          > Or, indeed, a DNAME (giving the same flexibility as a CNAME, just with a less commonly known feature).

          Or, indeed, a first-party proxy to a third-party site. Which you can't detect from the client end (whereas an A/AAAA record you could theoretically check it's within the same AS or something)

    2. dcsprior

      Re: DNS is broken

      So what about a site that has domains CNAMEd to a CDN or similar? You may need quite a lot of eggs for this omelette.

  9. Anonymous Coward
    Anonymous Coward

    Pi Hole

    Pi Hole now supports CNAMES and can block ads that do this crap

  10. Nelbert Noggins

    Quite a few companies have been doing this for years.

    Some also put scripts required for the site to work on the same subdomain the tracking beacons/code uses so you have to allow access to the subdomain.

    What's probably more surprising these days is how many companies don't do it already.

    Unless something drastic happens that costs the companies significant money, the whole thing is just an arms race. Every time we patch the holes in the walls, another crack appears to let the data stream out into the small number of data oceans, who can then mix it all around between them for financial gain.

    1. Graham Cobb Silver badge

      Which is why the technical countermeasures need to be combined with two other things:

      1) Laws. When I say "do not track" I mean "do not track". Any tracking is clearly illegal. If you don't want to serve me without tracking, that is fine - I will take my business elsewhere (possibly even paying more).

      2) Name and shame. None of the UK top 1000 brands should be able to afford to ignore "do not track" requests. The newspapers should be full of it, and MPs should be asking questions in parliament about why is the government doing any business with these companies.

      1. Headley_Grange Silver badge

        Name and Shame Trackers?

        @ Graham: ".....the newspapers......."

        Hmmmm.

      2. Anonymous Coward
        Anonymous Coward

        You mention MPs. Those same MPs whose petition.parliament.uk website has Google Analprobe trackers on it?

        ...which means, with all the other information that Google probably has dredged about you from elsewhere, likely positively identifying you with your email address via those sites that use Google Recaptcha on the login screen (at the very least, along with all their other sources of exfiltration), means that Google also knows what political issues you are interested in, which is surely protected Special Category Data (Sensitive Personal Data)?

        (Which is why any organisation that uses *any* Google 'assets' (SIGINT, indeed) without fully thinking through the consequences needs their collective heads examined. (Other data reaping scum are available, sadly.))

        1. JassMan
          Trollface

          @AC

          "(Which is why any organisation that uses *any* Google 'assets' (SIGINT, indeed) without fully thinking through the consequences needs their collective heads examined. (Other data reaping scum are available, sadly.))"

          What has process signal -2 got to do with CNAME?

  11. Anonymous Coward
    Stop

    Waste your money tracking me...

    ...I don’t care. I won’t see your ads and I won’t buy your tat.

    1. Anonymous Coward
      Facepalm

      Re: Waste your money tracking me...

      I have to agree that if consumers wouldn't consume tracking tainted tat, we wouldn't have this problem.

      Laws don't work because companies view them as things to get around.

      Fines don't work because companies view them as a cost of doing business.

      Public shaming doesn't work because the public as a whole ignores it.

      1. JulieM Silver badge

        Re: Waste your money tracking me...

        "Treating fines as opex" needs to be made an offence in its own right.

        1. Ken Hagan Gold badge

          Re: Waste your money tracking me...

          Increasing the penalty for subsequent offences of the same nature would appear to fix that. I wonder what the downside is.

          1. A.P. Veening Silver badge

            Re: Waste your money tracking me...

            Increasing the penalty for subsequent offences of the same nature would appear to fix that.

            And at the third offence putting the complete C-level in the slammer will surely fix it.

            I wonder what the downside is.

            I don't see any.

  12. JulieM Silver badge

    Time to fight back hard

    It is time we fought back at all this. I'm thinking browser extensions with the explicit aim of poisoning Web analytics and even trying deliberately to crash badly-written code. I'm thinking a smart DNS sever running locally. I'm thinking all this should be included in popular distros.

    Only today I was a victim of back-button hijacking. Preventing a person from leaving a physical store until they have spent long enough looking at advertisements is not something that would be tolerated in real life.

    Some of us are not going to put up with this anymore.

    1. A.P. Veening Silver badge

      Re: Time to fight back hard

      Only today I was a victim of back-button hijacking. Preventing a person from leaving a physical store until they have spent long enough looking at advertisements is not something that would be tolerated in real life.

      Just close that browser window and blacklist that site (easy enough with a PiHole).

  13. Rol

    We've just upgraded your internet to default security AAA+ at no extra charge!

    This latest revelation is the last straw. Every ISP should be answering the ongoing crisis impacting their customers by actively hiding them.

    Strip out the information in packets that help identify customers and then assign a random IP. In short ISP's should be connecting their customers via their own in-house VPN a virtual TOR network if you will.

    The ISP's of this world should be anonymising their bill paying customers and if marketing is unhappy, then they can help alleviate the situation by offering to pay the bill themselves - if you're skint, you can always get online for free, but you've got to suffer the stalkers.

    Why, having paid an exorbitant fee to my ISP, do they sit by and watch me get chased around the playground by bullies, sticking revealing images of Russian's, who want to marry ME tomorrow, in my face at every turn. I went their once...and will they never let me forget it..hahaha!

    No seriously. ISP's should be stepping up and improving their service.

    1. Ken Hagan Gold badge

      Re: We've just upgraded your internet to default security AAA+ at no extra charge!

      You are assuming that your ISP can inspect and edit your packets. I think quite a few people might have a problem with that.

    2. ckm5

      Re: We've just upgraded your internet to default security AAA+ at no extra charge!

      A lot of ISPs sell DNS data to advertisers, some of them also inject ads into the pages you request.

      Not sure that any ISP is your friend.

      1. A.P. Veening Silver badge

        Re: We've just upgraded your internet to default security AAA+ at no extra charge!

        A lot of ISPs sell DNS data to advertisers, some of them also inject ads into the pages you request.

        European ISPs don't as it will get them in a lot of legal trouble, but even so I am using Pi-Hole in combination with Unbound.

        Not sure that any ISP is your friend.

        God preserve me from my friends, with my enemies I can deal myself.

  14. Grendel

    Most definitely name and shame (as a minimum) and should the game be raised to 'prosecute' for violations of the GDPR and/or Anti-Trust as this is a deliberate 'deception' to ensure that ad-trackers continue to work?

    Perhaps we also need a new 'first party' (same origin - exactly the same URL), 'second party' (sub-URL of the first party domain) and 'third party' (different domain) approach and rulesets in our defences?

    G

  15. Neoc

    "...marketers have stepped up efforts to evade anti-tracking measures..."

    Doesn't that sound like a job for the DMCA? "...It also criminalizes the act of circumventing an access control, whether or not there is actual infringement of copyright itself..."

    Seems to me that "anti-tracking measures" are a type of "access control".

  16. Detective Emil
    Boffin

    If you want to block (some of them) by hand:

    You can find most of the culprits' destination domains in the reasonably-frequently-updated NextDNS CNAME Cloaking Blocklist on GitHub, and add them to the blocklist of your choice.

  17. Anonymous Coward
    Anonymous Coward

    Uh yeah...

    This stuff. CNAME bollox like that are used industry-wide. Add TXT records to the mix. In fact most things about DNS can be abused in one way or another. Add a sprinkling of javascript at the CDN level and cookies just become mildly useful to have if not a distraction to the main issue.

    Anonymous for good reasons.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like