DNS cheating aka CNAME Collusion or CNAME cloaking

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

MichaelRSorg

Well-known member
Nov 1, 2020
114
19
routersecurity.org
NextDNS has had a defense against this for a while now
Yes... also, the relevant NextDNS list can be installed as a blocking list in uBlock Origin. Search for "nextdns" in the "names" column on FilterLists (or, more easily, copy https://raw.githubusercontent.com/nextdns/cname-cloaking-blocklist/master/domains into the -Custom > Import box at the bottom of the Filter lists tab of the uBO Dashboard.)​

Speaking of the CNAME Collusion issue, uncloaking CNAMEs has been part of uBO as an advanced setting since 1.25.0. From version 1.34.0, it's available on the Settings tab of the uBO Dashboard. Uncloaking of canonical names is enabled by default. This works on Firefox.

(The checkbox to uncloak canonical names is unchecked, grayed out, and cannot be altered on uBO's Settings tab in Chrome, where, currently, the regular and development builds have version numbers lower than 1.34.0, and the underlying tech is insufficient to allow it.)

Read the description at the top of this commit made yesterday (2021-03-02) on Github and/or read this Dashboard: Settings entry in the wiki/documentation about the setting. The second link has some helpful advice for times when it might be necessary to disable the uncloaking.

I wasn't able to get the 1.34.0 version for Firefox either... here are the relevant cname settings from the advanced options:


Firefox-Advanced-cnamesettings.png
 
Last edited:
I wonder if a marketing company I'm looking into (Marketo) uses this method or not? In their configuration instructions (https://docs.marketo.com/display/public/DOCS/Setup+Steps#SetupSteps-AskITtoConfigureProtocols), they ask for some CNAMEs to be set up for landing page and email tracking. How do I find out if the methods they are using are as bad as described on the podcast? What do I check?

In the research paper discussed on the podcast (https://arxiv.org/pdf/2102.09301.pdf) they outline in section 3.1.1 their method for adding a company to their list of tracking companies using CNAME cloaking.

I wonder would anyone have any insight about the manual cookie analysis they describe in the final phase? Any way to examine this for a sample company?

3.1.1
Methodology
Discovering trackers

To detect services that offer CNAME-based tracking, we used a three-pronged approach that leverages features intrinsic to the ecosystem, combining both automated and manual analysis.

First we filtered all requests from HTTP Archive’s dataset and only considered the ones that were same-site but not same-origin, i.e. the same eTLD+1 but not the exact same origin as the visited web page. Furthermore, we only retained requests to domain names that returned a CNAME record referring (either directly or indirectly after redirection of other CNAME records) to a different eTLD+1 domain in our DNS data. We aggregated these requests on the eTLD+1 of the CNAME record, and recorded a variety of information, such as the average number of requests per website, variation of request size, percentage of requests that contain a cookie or set one via the HTTP response header, etc. In Appendix B we elaborate on these features and discuss how they could be used to assist or automate the detection of CNAME-based tracking. Out of the resulting 46,767 domains, we only consider the ones that are part of a CNAME-chain on at least 100 different websites, which leaves us with 120 potential CNAME-based trackers.

In the second phase, we performed a manual analysis to rule out services that have no strict intention to track users. Many services that are unrelated to tracking, such as CDNs, use a same-site subdomain to serve content, and may also set a cookie on this domain, thus giving them potential tracking capabilities. For instance, Cloudflare sets a_cfduidcookie in order to detect malicious visitors, but does not intend to track users with this cookie (user information is kept less than 24 hours) [12]. For each of the 120 domains, we visited the web page of the related organization (if available) and gathered information about the kind of service(s) it provides according to the information and documentation provided on its website. Based on this information, we then determined whether tracking was the main service provided by this company, either because it explicitly indicated this, or tracking would be required for the main advertised product, e.g. in order to provide users with personalized content, or whether this was clear from the way the products were marketed.
For instance one such provider, Pardot offers a service named “Marketing Automation”, which they define as “a technology that helps businesses grow by automating marketing processes, tracking customer engagement, and delivering personalized experiences to each customer across marketing, sales, and service”, indicating that customers (website visitors) may be tracked.

Finally, we validate this based on the requests sent to the purported tracker when visiting a publisher website: we only consider a company to be a tracker when a uniquely identifying parameter is stored in the browser and sent along with subsequent requests, e.g. via a cookie or using local Storage. Using this method, we found a total of 5 trackers. Furthermore, we extended the list with eight trackers from the CNAME cloaking blocklist by NextDNS [13, 37].
 
This is an Adobe company, and Adobe is one of the worst for bad practices, so I fully expect that their use of CNAME would be malicious (to privacy.)

Additionally, I see they have a product they refer to and "engage" and I seen many engage URLs in the block lists.
 
uBlock Origin can and does "Uncloak canonical names" by default if you have the "Uncloak canonical names" checkbox checked under Settings.
It seems that this practice will become much more commonplace now that Chrome is going to block third-party cookies.
Also see SN-975 https://www.grc.com/sn/sn-975-notes.pdf page 11