Network specialists warn about the rising popularity of “CNAME cloaking”, that big advertisers use to get past user-tracking restrictions and third-party cookie blockers by web browsers and extensions.
CNAME cloaking isn’t a new technique, but its effectiveness is becoming more potent despite the various approaches developers of anti-trackers have taken to tackle it, resulting in increased adoption rates by marketers.
Network security company Palo Alto Networks has created a CNAME cloaking scanner to gauge the extent of the problem and reports that a large percentage of new domains are using the anti-blocking technique.
Cookies and CNAME Cloaking
First-party cookies are generally considered essential for ensuring users’ stable and satisfactory browsing experience, so these are excluded from blocks.
Third-party cookies, on the other hand, are loaded from websites outside the domain visited by the users, and their goal is to track them for purposes of targeted advertising.
These third-party cookies are blocked either by comparing the origin resource of the cookies to the active domain or by using blocklists.
To bypass these blocks, CNAME cloaking uses DNS query-resolving pathways that aren’t scrutinized by the browser to make it appear as if the external resource is a subdomain of the website the user visits, and hence its cookies should be allowed.
The result is to allow advertisers to determine if a visitor is returning or new, assign unique IDs for persistent tracking across websites, retrieve browser information, measure the frequency of visits, and more.
While this is still not the same as allowing third-party cookies, it still will enable advertisers to funnel user data outside the site they visit, essentially breaching their privacy while they falsely assume they are protected from all third-party trackers.
The Scale of the Problem
Palo Alto Networks reports that while running its CNAME cloaking scanner for a month, it detected 43,000 cloaked subdomains in 38,000 root domains, with most of them (98%) pointing to a single external resource.
The cloaked subdomains point to central domains belonging to just 32 organizations, generally advertising and marketing giants.
The report highlights that extensions using blocklists like Adguard and EasyPrivacy, only block roughly 10% of the subdomains the scanner detected, leaving users exposed to tracking in 90% of the cases.
One critical consequence of this practice is that first-party cookies, too, might leak sensitive data to cloaked domains, most commonly Google Analytics, Hotjar, Microsoft, and Dynatrace.
What can Users do
Users can feel more confident about the effectiveness of their tracker blockers by using tools that detect CNAME cloaking based on DNS lookups.
Palo Alto Networks provides the example of UBlock Origin on Firefox, where access to DNS APIs is open to extensions.
Brave browser also checks for CNAME cloaking using an embedded DNS resolver and blocks the request if one is detected.
Note: Brave and Firefox are the top recommendations in our secure browser guide.
Apple’s Safari also features bounce tracking detection to detect CNAME cloaking and block the trackers, and its developers are constantly improving it.
One thing to remember is that this is a “cat-and-mouse” game between advertisers and web browser developers, so using up-to-date software is key in fighting the phenomenon, or at least having the best chances.
As for VPNs, using a trustworthy product will help you against all forms of data collection by encrypting all data in transit, so even if CNAME cloaking won’t be blocked, the privacy breach effect will be negated.