• Skip to main content
  • Skip to header right navigation
  • Skip to site footer
RestorePrivacy

RestorePrivacy

Resources to stay safe and secure online

  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Skiff Mail Review
    • Runbox Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • NordVPN vs Surfshark
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact
  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Skiff Mail Review
    • Runbox Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • NordVPN vs Surfshark
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact

Alert: Your Tracker Blocker Might be Missing 90% of 3rd-Party Cookies

October 24, 2022 By Heinrich Long — 6 Comments
Tracker blocker misses cookies CNAME

Network specialists warn about the rising popularity of “CNAME cloaking”, that big advertisers use to get past user-tracking restrictions and third-party cookie blockers by web browsers and extensions.

CNAME cloaking isn’t a new technique, but its effectiveness is becoming more potent despite the various approaches developers of anti-trackers have taken to tackle it, resulting in increased adoption rates by marketers.

Network security company Palo Alto Networks has created a CNAME cloaking scanner to gauge the extent of the problem and reports that a large percentage of new domains are using the anti-blocking technique.

Cookies and CNAME Cloaking

First-party cookies are generally considered essential for ensuring users’ stable and satisfactory browsing experience, so these are excluded from blocks.

Third-party cookies, on the other hand, are loaded from websites outside the domain visited by the users, and their goal is to track them for purposes of targeted advertising.

These third-party cookies are blocked either by comparing the origin resource of the cookies to the active domain or by using blocklists.

To bypass these blocks, CNAME cloaking uses DNS query-resolving pathways that aren’t scrutinized by the browser to make it appear as if the external resource is a subdomain of the website the user visits, and hence its cookies should be allowed.

How CNAME cloaking works
Palo Alto Networks

The result is to allow advertisers to determine if a visitor is returning or new, assign unique IDs for persistent tracking across websites, retrieve browser information, measure the frequency of visits, and more.

While this is still not the same as allowing third-party cookies, it still will enable advertisers to funnel user data outside the site they visit, essentially breaching their privacy while they falsely assume they are protected from all third-party trackers.

The Scale of the Problem

Palo Alto Networks reports that while running its CNAME cloaking scanner for a month, it detected 43,000 cloaked subdomains in 38,000 root domains, with most of them (98%) pointing to a single external resource.

Newly detected websites using CNAME cloaking
Palo Alto Networks

The cloaked subdomains point to central domains belonging to just 32 organizations, generally advertising and marketing giants.

The report highlights that extensions using blocklists like Adguard and EasyPrivacy, only block roughly 10% of the subdomains the scanner detected, leaving users exposed to tracking in 90% of the cases.

One critical consequence of this practice is that first-party cookies, too, might leak sensitive data to cloaked domains, most commonly Google Analytics, Hotjar, Microsoft, and Dynatrace.

What can Users do

Users can feel more confident about the effectiveness of their tracker blockers by using tools that detect CNAME cloaking based on DNS lookups.

Palo Alto Networks provides the example of UBlock Origin on Firefox, where access to DNS APIs is open to extensions.

Brave browser also checks for CNAME cloaking using an embedded DNS resolver and blocks the request if one is detected.

Note: Brave and Firefox are the top recommendations in our secure browser guide.

Apple’s Safari also features bounce tracking detection to detect CNAME cloaking and block the trackers, and its developers are constantly improving it.

One thing to remember is that this is a “cat-and-mouse” game between advertisers and web browser developers, so using up-to-date software is key in fighting the phenomenon, or at least having the best chances.

As for VPNs, using a trustworthy product will help you against all forms of data collection by encrypting all data in transit, so even if CNAME cloaking won’t be blocked, the privacy breach effect will be negated.

About Heinrich Long

Heinrich is an associate editor for RestorePrivacy and veteran expert in the digital privacy field. He was born in a small town in the Midwest (USA) before setting sail for offshore destinations. Although he long chafed at the global loss of online privacy, after Edward Snowden’s revelations in 2013, Heinrich realized it was time to join the good fight for digital privacy rights. Heinrich enjoys traveling the world, while also keeping his location and digital tracks covered.

Reader Interactions

Comments

  1. Moon Cocoon

    October 25, 2022

    I need more information regarding CNAME cloaking and including how to effectively prevent it and whether Firefox Browsers block 3rd party cookie option prevents CNAME cloaking.
    Also when using 3rd party DNS provider like NextDNS and Adguard DNS Private, does access to domains required for CNAME cloaking gets blocked?
    Is Adguard Adblocker Software for PC effective against CNAME cloaking?

    In my case on PC I use Cookie Auto delete addon on Firefox along with block all 3rd party cookies enabled. So all cookies are deleted except those which I whitelist and I also use Firefox containers for websites like Amazon and Outlook.
    I also use Firefox on Android and whenever I quit the browser all cookies without exception gets deleted.l and all tabs gets closed. Firefox on both the platforms has the option to prevent against fingerprint tracking.

    Also how effective is VPN againt CNAME cloaking? I am using Nord VPN.

    Reply
    • Sun Cocoon

      October 25, 2022

      Good questions and good practices Moon Cocoon! I was about to ask the same about https://adguard-dns.io/en/welcome.html (link is not my answer; I am asking for an interpretation of it)

      Reply
      • Comet Coccon

        October 28, 2022

        I agree with the above. Great comment Moon Cocoon! My set up is similar to yours.
        Can the article be read to say, if you are using a recommended browser (Brave/Firefox – I use both with Ublock Origin, Firefox is custom from the RP guide) and keeping them updated; and using a trusted VPN (Nord) that this is the best way to mitigate these buggers?
        I also have my browsers set to delete all cookies on close (best balance of privacy and convenience for me). I imagine this would be a good strategy also?
        As Sun Cocoon says this is not an answer just questions.

        Reply
      • me

        December 4, 2022

        Read the full report, I would say. Just delete all cookies regularly (or manually select those you don’t use) and don’t allow third-party cookies. And yes, you will need to sign in and out of all used services because of it. You can experiment with several browsers, use disposable VM’s if you’re really paranoid, etc. Monitor your routers outgoing logs if you can use pfSense and their extension tools.

        For Windows, users, well, either use customized builds or install scripts as far if they prevent things I’m not certain. But you know your operating system is already spying and reducing your privacy, so software can reduce it a bit, but you never know for sure. Same for Apple, Androids (most builds) etc.

        For AdGuard, just apply extra CNAME cloaking lists. https://github.com/AdguardTeam/cname-trackers
        But remember, not all those cloaked CNAME cookies are malicious, and blocking them can make websites unusable or have consequences.

        As mentioned, Google Analytics and other big company analytics tools (Microsoft, Oracle, etc.) are the main culprit. Cookies related should be blocked should be blocked.

        One consequence of using CNAME cloaking is that other first party cookies might automatically be sent to the cloaked FQDN. Unexpectedly, the most common cookies seen in requests to cloaked domains were not those set by the tracker involved in the cloaking, but those associated with Google Analytics (see Table 1).

        Reply
  2. Dancing Lizard

    October 25, 2022

    “will help you against all forms of data by encrypting all data in transi..”

    Correction: against all forms of data collection/harvesting……

    Reply
    • Sven Taylor

      October 25, 2022

      Thanks, fixed.

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Sidebar

Digital Privacy Essentials:
Secure Browser
Private Search Engines
Secure Email
Best Password Managers
Secure Messaging Services
Best Ad Blockers
Best VPN Services
Secure Cloud Storage

Privacy & Security Guides:
Privacy Tools
Alternatives to Google Products
Firefox Privacy Modifications
Five Eyes, 9 Eyes, 14 Eyes Spying
Browser Fingerprinting
Is Tor Safe?
Alternatives to Gmail
VPN vs Tor
Alternatives to WhatsApp
Is Your Antivirus Spying on You?
Controlling Communication Channels is Crucial for Privacy
Anonymity Networks: VPNs, Tor, and I2P
How to Really Be Anonymous Online
Private and Anonymous Payments

Secure Email Reviews:
ProtonMail Review
Tutanota Review
Mailfence Review
Mailbox.org Review
Hushmail Review
Posteo Review
Fastmail Review
Runbox Review
CTemplar Review
Temporary Email Services
Encrypted Email

Password Manager Reviews:
Bitwarden Review
LastPass Review
KeePass Review
NordPass Review
Dashlane Review
1Password Review
Best Password Managers

Secure Messaging App Reviews:
Wire Review
Signal Review
Threema Review
Telegram Review
Session Review
Wickr Review

Secure Cloud Storage Reviews
Tresorit Review
MEGA Cloud Review
Sync.com Review
Nextcloud Review
IDrive Review
pCloud Review
SpiderOak Review
NordLocker Review

How To Guides
How to Encrypt Files on Windows
How to Encrypt Email
How to Configure Windows 10 for Privacy
How to use Two-Factor Authentication (2FA)
How to Secure Your Android Device for Privacy
How to Secure Your Home Network
How to Protect Yourself Against Identity Theft
How to Unblock Websites
How to Fix WebRTC Leaks
How to Test Your VPN
How to Hide Your IP Address
How to Create Strong Passwords
How to Really Be Anonymous Online

About RestorePrivacy

Contact

Restore Privacy Checklist

  1. Secure browser: Modified Firefox or Brave
  2. VPN: NordVPN [63% Off Coupon] or Surfshark
  3. Ad blocker: uBlock Origin or AdGuard
  4. Secure email: Mailfence or Tutanota
  5. Secure Messenger: Signal or Threema
  6. Private search engine: MetaGer or Brave
  7. Password manager: NordPass or Bitwarden

About

RestorePrivacy is a digital privacy advocacy group committed to helping people stay safe and secure online. You can support this project through donations, purchasing items through our links (we may earn a commission at no extra cost to you), and sharing this information with others. See our mission here.

We’re available for Press and media inquiries here.

RestorePrivacy is also on Twitter

COPYRIGHT © 2023 RESTORE PRIVACY, LLC · PRIVACY POLICY · TERMS OF USE · CONTACT · SITEMAP