DNS cheating aka CNAME Collusion or CNAME cloaking

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.
  • Larger Font Styles
    Guest:

    Just a quick heads-up that I've implemented larger font variants of our forum's light and dark page styles. You can select the style of your choice by scrolling to the footer of any page here. This might be more comfortable (it is for me) for those with high-resolution displays where the standard fonts, while permitting a lot of text to fit on the screen, might be uncomfortably small.

    (You can permanently dismiss this notification with the “X” at the upper right.)

    /Steve.

MichaelRSorg

Well-known member
Nov 1, 2020
60
6
RouterSecurity.org

danlock

Well-known member
Sep 30, 2020
133
45
NextDNS has had a defense against this for a while now
Yes... also, the relevant NextDNS list can be installed as a blocking list in uBlock Origin. Search for "nextdns" in the "names" column on FilterLists (or, more easily, copy https://raw.githubusercontent.com/nextdns/cname-cloaking-blocklist/master/domains into the -Custom > Import box at the bottom of the Filter lists tab of the uBO Dashboard.)​

Speaking of the CNAME Collusion issue, uncloaking CNAMEs has been part of uBO as an advanced setting since 1.25.0. From version 1.34.0, it's available on the Settings tab of the uBO Dashboard. Uncloaking of canonical names is enabled by default. This works on Firefox.

(The checkbox to uncloak canonical names is unchecked, grayed out, and cannot be altered on uBO's Settings tab in Chrome, where, currently, the regular and development builds have version numbers lower than 1.34.0, and the underlying tech is insufficient to allow it.)

Read the description at the top of this commit made yesterday (2021-03-02) on Github and/or read this Dashboard: Settings entry in the wiki/documentation about the setting. The second link has some helpful advice for times when it might be necessary to disable the uncloaking.

I wasn't able to get the 1.34.0 version for Firefox either... here are the relevant cname settings from the advanced options:


Firefox-Advanced-cnamesettings.png
 
Last edited:

edanto

New member
Mar 5, 2021
1
0
I wonder if a marketing company I'm looking into (Marketo) uses this method or not? In their configuration instructions (https://docs.marketo.com/display/public/DOCS/Setup+Steps#SetupSteps-AskITtoConfigureProtocols), they ask for some CNAMEs to be set up for landing page and email tracking. How do I find out if the methods they are using are as bad as described on the podcast? What do I check?

In the research paper discussed on the podcast (https://arxiv.org/pdf/2102.09301.pdf) they outline in section 3.1.1 their method for adding a company to their list of tracking companies using CNAME cloaking.

I wonder would anyone have any insight about the manual cookie analysis they describe in the final phase? Any way to examine this for a sample company?

3.1.1
Methodology
Discovering trackers

To detect services that offer CNAME-based tracking, we used a three-pronged approach that leverages features intrinsic to the ecosystem, combining both automated and manual analysis.

First we filtered all requests from HTTP Archive’s dataset and only considered the ones that were same-site but not same-origin, i.e. the same eTLD+1 but not the exact same origin as the visited web page. Furthermore, we only retained requests to domain names that returned a CNAME record referring (either directly or indirectly after redirection of other CNAME records) to a different eTLD+1 domain in our DNS data. We aggregated these requests on the eTLD+1 of the CNAME record, and recorded a variety of information, such as the average number of requests per website, variation of request size, percentage of requests that contain a cookie or set one via the HTTP response header, etc. In Appendix B we elaborate on these features and discuss how they could be used to assist or automate the detection of CNAME-based tracking. Out of the resulting 46,767 domains, we only consider the ones that are part of a CNAME-chain on at least 100 different websites, which leaves us with 120 potential CNAME-based trackers.

In the second phase, we performed a manual analysis to rule out services that have no strict intention to track users. Many services that are unrelated to tracking, such as CDNs, use a same-site subdomain to serve content, and may also set a cookie on this domain, thus giving them potential tracking capabilities. For instance, Cloudflare sets a_cfduidcookie in order to detect malicious visitors, but does not intend to track users with this cookie (user information is kept less than 24 hours) [12]. For each of the 120 domains, we visited the web page of the related organization (if available) and gathered information about the kind of service(s) it provides according to the information and documentation provided on its website. Based on this information, we then determined whether tracking was the main service provided by this company, either because it explicitly indicated this, or tracking would be required for the main advertised product, e.g. in order to provide users with personalized content, or whether this was clear from the way the products were marketed.
For instance one such provider, Pardot offers a service named “Marketing Automation”, which they define as “a technology that helps businesses grow by automating marketing processes, tracking customer engagement, and delivering personalized experiences to each customer across marketing, sales, and service”, indicating that customers (website visitors) may be tracked.

Finally, we validate this based on the requests sent to the purported tracker when visiting a publisher website: we only consider a company to be a tracker when a uniquely identifying parameter is stored in the browser and sent along with subsequent requests, e.g. via a cookie or using local Storage. Using this method, we found a total of 5 trackers. Furthermore, we extended the list with eight trackers from the CNAME cloaking blocklist by NextDNS [13, 37].
 

PHolder

Well-known member
Sep 16, 2020
638
2
312
Ontario, Canada
This is an Adobe company, and Adobe is one of the worst for bad practices, so I fully expect that their use of CNAME would be malicious (to privacy.)

Additionally, I see they have a product they refer to and "engage" and I seen many engage URLs in the block lists.