I develop a FOSS adblocking DNS stub resolver and client. And I believe, DNS-based content-blocking will become drastically ineffective as it gets more popular.
Besides CNAMEs breaking all sorts of assumptions a client software makes (and hence also causing security headaches in the process as outlined in the paper), there are a couple other DNS cloaking techniques that the paper doesn't discuss:
1. ALIAS records (not standardized? popularized by Route53) hide CNAME-like pointers. Another variant of this is, some DNS nameservers (like Cloudflare) flatten CNAME records (aka transparently ALIAS endpoints): CNAMEs aren't sent with the answer, that is, you're straight up served the A/AAAA record with IPs (which could easily be third-party). DNSSEC doesn't help here, afaik.
2. The shiny new SVCB/HTTPS records open up another avenue for DNS cloaking. For example, consider this (unverified if correct) record with a chain of pointers:
example.com SCVB IN 0 example.net
example.net CNAME IN example.org
example.org SVCB IN 0 example.us
example.us SVCB IN 1 example.uk (ipv4hint=2.2.2.2, ipv6hint=2:2::2)
example.uk SVCB IN 0 example.de
example.de CNAME IN example.fr
example.fr SVCB IN 1 . (ipv4hint=..., ipv6hint=...)
example.fr SVCB IN 2 example.es (ipv4hint=..., ...)
example.fr SVCB IN 3 example.it (...)
example.fr CNAME IN example.ru
example.es CNAME IN example.it
example.it SVCB IN 1 . (...)
example.it SVCB IN 2 example.ch (...)
example.it A IN 4.4.4.4
example.it AAAA IN 4:4::4
example.ch SVCB IN 0 example.ru
example.ru SCVB IN 1 . (...)
example.ru A IN 3.3.3.3
example.ru AAAA IN 3:3::3
(the above is missing the example where targets follow "port prefix naming" viz. _443._https.example.com)
Though it remains trivial to uncloak domains hiding behind SVCB/HTTPS records, implementations have to be careful about what they let through. Flattened CNAMEs and ALIAS records; however, to my knowledge, remain undetectable.
But: All indications are that it is foolish to rely on DNS to discern between first-party and third-party. I mean, I can already run www.example.com on Netlify, app.example.com on Vercel, api.example.com on AWS, and cdn.example.com on Cloudflare... and those endpoints could very well be running anything the cloud providers want (third party).
IP based firewall doesn't suffer these shortcomings, but then, enforcing IP blocks are complicated by Virtual Hosting (multiple web services behind a single IP) and IPv6 (too many addresses to curate and block).
I just use an HTTP client that does not automatically load resources nor run Javascript. Using such a client, the user, by voluntarily typing the name of a website or following a URL, decides what to retrieve (a page, e.g., index.html), not the web developer. If the website developer is allowed to decide what the user involuntarily retrieves, then it stands to reason a website seeking revenue through online advertising will make sure the user involutarily retrieves ads, or cookies from a tracker. For example, by letting the ad server or tracker use a subdomain of the website as a "cloak".
The fact that the technique relies on a CNAME or some other DNS indirection seems to suggest that the ad server or tracker will have a different IP from the website. That may be another weak point in any effort to conceal the fact that some resources referenced in the page or Javascript files are only necessary for advertising purposes. If both content and ad cruft were being served from a single IP, then that might pose more of a challenge in deciphering what to retreieve. I have yet to see that and doubt I ever will.
I am a believer that ultimately whitelisting is more effective than blacklisting. Request what you want, leave the rest. As opposed to letting a browser request everything according to a web developer's wishes, and then you try to block stuff. With extensions, third party assistance, etc.
I don't see a way out of this without the ability to selectively block or fake browser APIs and detect tracking with heuristics, just like old antivirus and spyware blocking software.
> DNS-based content-blocking will become drastically ineffective as it gets more popular
So does URL based content-blocking. I recently want to block Youtube/Twitter ads on my own, to my dismay, the ads were buried in some deep JSON response. And ads resource URLs are not easily distinguishable from real content.
> is foolish to rely on DNS to discern between first-party and third-party
Correct, because first-party / third-party is not a technical difference, but a social/commercial one. The app.example.com may run in a different cloud and be part of the same first-party service.
IPV6 also greatly complicates IP-based blocking. There are so many IPV6 addresses that it'd be relatively cheap for an ad tracker to develop a system that uses a new one every day.
> Another variant of this is, some DNS nameservers (like Cloudflare) flatten CNAME records (aka transparently ALIAS endpoints)
AFAIK, cloudflare only flattens CNAMEs at the root level, and that’s because CNAMEs at the root are not a standard. They have to convert it to an A record to be standards compliant.
Websites that use CNAME to forward their main domain to some tracking company, basically give their entire domain away, I don't see how that is a good secure way to track your users..
DNSCrypt-proxy (and even pihole these days I believe) are actually capable of blocking forwarded CNAME requests. Setting up such system for network wide adblocking is not complicated at all, see: https://github.com/notracking/hosts-blocklists/wiki/Install-...
NextDNS.io (sort of pihole as a service) unwraps those too. From the linked PDF:
“Other tracking countermeasures operate as a DNS resolver, and return a bogus IP address, e.g. 127.0.0.1 when the domain name matches an entry from the blocklist. As this defense works at the DNS level, these can also consider all the intermediary resolutions to CNAME records, and return a bogus IP address if any of them resolve to a domain on the blocklist. Examples of DNS-based anti-tracking measures that adopted defenses against CNAME cloaking include NextDNS [42], AdGuard [4], and Pi-hole [50].”
It’s worth reading NextDNS’s discussion on how this is implemented, and the differences between their approach, AdGuard’s, and pihole’s:
If you have NextDNS configured with the AdGuard base filter set, www.cultofmac.com is blocked for being CNAMED to www-cultofmac-com.ezoic.net which in turn is blocked by the AdGuard base filter. In this case, ezoic is an ad-optimizing content management system (CMS).
Here’s a wiki for setup for most routers, see Supported Platforms at the bottom:
For iOS families, NextDNS now supports Apple Configuration Profiles to enforce Encrypted DNS at the policy level, no software to install or manual settings: https://apple.nextdns.io/
I guess you could build a tool that blocks cnames that point to other domains. But then they could switch to A records, which I guess could be blocked with lists of the IPs of tracking parties. Or just by blocking all hosts besides the one being requested (which I personally prefer in all web design). Then again they could always just put a redirect/rewrite in their web server to a any third party they want, but atleast they would have to pay for the bandwidth.
Ya, blocking requests is a bandaid for preventing tracking.
The only way to stop this permanently is to address the root cause. As far as I can tell that would be through permissioned browser api access. The UX might become a bit unwieldy though Google’s idea of limiting the number of bits of identifying info revealed might be a way around that.
But then there is the issue of sites blocking access when more bits of identity are not given. This would lead to another cat and mouse game of tricking sites into thinking they are getting globally useful identity bits and the sites trying to counter this. This might be an easier game to play for the users where they randomly generate and isolate this data per domain or container but I’m not sure.
It's interesting that even analytics solutions which list respecting user privacy as their main USP (i.e. simpleanalytics.com, plausible.io) support this kind of concealement scheme. I find it at least questionable since a user that employs a specific extension to block tracking requests has clearly expressed an intent to not be tracked, so circumventing this block with some clever DNS scheme is very privacy-unfriendly and invasive.
The security aspect is valid too, though I'm not sure if it's much worse than allowing a third party to put arbitrary Javascript on your website in the first place (as almost none of the trackers support integrity tags or self-hosting of analytics scripts). Of course those scripts don't get access to HTTPOnly cookies, which the server API will get when using such a CNAME script.
A solution would be to have your website on a subdomain itself (e.g. www), which was best practice for a while but got abandoned for the sake of brevity with most sites.
> It's interesting that even analytics solutions which list respecting user privacy as their main USP (i.e. simpleanalytics.com, plausible.io) support this kind of concealement scheme. I find it at least questionable since a user that employs a specific extension to block tracking requests has clearly expressed an intent to not be tracked
That's because you're confusing tracking, which is e.g. Google tracking your behaviour across different websites to decide what you like and what adds you might click, and website analytics, which is making statistics on what type of people ( location, language, browser, mobile/PC, from where) visit your website. Privacy concious analytics doesn't track it, it only aggregates who you are so that the website owner can make decisions ( the mobile version is useless because all users come from PCs, optimising for Safari isn't needed since no users use Apple devices, etc.). It's unfortunate for your average site owner that you lose that data from people not wanting to be tracked, because that's really not the same thing, they're just a drive-by casualty.
So, let’s have a DNS server which, if it sees a given IP in the DNS reply, blocks the resolution of this IP. Actually, MaraDNS’s recursive resolver already has that feature, because, back in 2009, it solved a security problem: There are security issues with those “this host name was not found, look at our ads” websites many DNS resolvers point to instead of giving a NXDOMAIN the way they should.
Indeed, I just looked at the source code, and since MaraDNS uses a hash to look up rogue IPs, this list can be arbitrary long with only memory usage going up. Because these kinds of rogue IPs are (were) rare, there is a hard-coded limit of 1,000 IPs in the source code, but that’s a one-line patch to increase to 10,000 or even 100,000 max bad IPs.
The syntax in one’s dwood3rc file to have this feature is this:
Does anybody know whether there's an open initiative that tries to create a directory of reverse-DNS based IP/subdomain maps to identify adtrackers that are just hidden behind subdomains?
The only one I know is crimeflare [1] but it's specific to cloudflare proxied malicious websites. It would be awesome to have a similar directory for second-party domains that point to known ad service IP ranges.
From reading it seems like it would be easy to accidentally make yourself vulnerable to dangling DNS record attacks. The advertising companies more directly based on their upstream and nature of DNS propagation latency. And the web overall given the number of third party js included in pages.
Also, fighting back against ... what exactly? Ads? The Big FAANG?
This is not the way. It's either beat them at their game (not likely), or building/supporting/using alternatives (eg. Signal, Mastodon, maybe substack? nebula? Librem/microG/LineageOS?), but ultimately it's politics. If "HN thinks" they are too powerful, then "HN has to" influence and persuade people in order to get laws, policies, regulations enacted that control/diminish this power. (Of course if such a grassroots movement gets powerful enough to influence legislation/policy probably at that point the market would respond too, eg. maybe Google would offer a no-track version of their services for cash, or serious competitors would emerge.)
The cynical take is of course a simple good luck, after all "HN" doesn't even have to fortitude to ditch Chrome.
(I hate ads with a passion, and use uBlock, but I don't care about tracking. Sites can and will implement it in their own backend anyway. GDPR/CCPA is the correct level to address the real problem which is handling of personal data [not IP address]. Now it's up to the market and consumer/user behavior to adjust. All these obnoxious consent forms are ripe for "disruption", yet it seems the economic/market value of not being tracked is so low, that it's hard to build a business on it. Though NextDNS is trying, but it's such a small niche, and basically solves nothing ... still, I wish them luck.
If the policy changes regarding "news" in UK/Germany/Australia were not due to bullheaded Murdoch/NewsCorp and regular old media/publishers lobbying, then that issue could be a starting point on which to build something better. But ultimately if every simple view has to be compensated, it has to be tracked.)
OT: Is there a better and/or easier way to read scientific papers? Especially on mobile devices I find PDFs with two-column layouts really hard to read. I wish scientific publications would just be simple html.
ignoramous|5 years ago
Besides CNAMEs breaking all sorts of assumptions a client software makes (and hence also causing security headaches in the process as outlined in the paper), there are a couple other DNS cloaking techniques that the paper doesn't discuss:
1. ALIAS records (not standardized? popularized by Route53) hide CNAME-like pointers. Another variant of this is, some DNS nameservers (like Cloudflare) flatten CNAME records (aka transparently ALIAS endpoints): CNAMEs aren't sent with the answer, that is, you're straight up served the A/AAAA record with IPs (which could easily be third-party). DNSSEC doesn't help here, afaik.
2. The shiny new SVCB/HTTPS records open up another avenue for DNS cloaking. For example, consider this (unverified if correct) record with a chain of pointers:
(the above is missing the example where targets follow "port prefix naming" viz. _443._https.example.com)Though it remains trivial to uncloak domains hiding behind SVCB/HTTPS records, implementations have to be careful about what they let through. Flattened CNAMEs and ALIAS records; however, to my knowledge, remain undetectable.
But: All indications are that it is foolish to rely on DNS to discern between first-party and third-party. I mean, I can already run www.example.com on Netlify, app.example.com on Vercel, api.example.com on AWS, and cdn.example.com on Cloudflare... and those endpoints could very well be running anything the cloud providers want (third party).
IP based firewall doesn't suffer these shortcomings, but then, enforcing IP blocks are complicated by Virtual Hosting (multiple web services behind a single IP) and IPv6 (too many addresses to curate and block).
1vuio0pswjnm7|5 years ago
The fact that the technique relies on a CNAME or some other DNS indirection seems to suggest that the ad server or tracker will have a different IP from the website. That may be another weak point in any effort to conceal the fact that some resources referenced in the page or Javascript files are only necessary for advertising purposes. If both content and ad cruft were being served from a single IP, then that might pose more of a challenge in deciphering what to retreieve. I have yet to see that and doubt I ever will.
I am a believer that ultimately whitelisting is more effective than blacklisting. Request what you want, leave the rest. As opposed to letting a browser request everything according to a web developer's wishes, and then you try to block stuff. With extensions, third party assistance, etc.
nerdponx|5 years ago
est|5 years ago
So does URL based content-blocking. I recently want to block Youtube/Twitter ads on my own, to my dismay, the ads were buried in some deep JSON response. And ads resource URLs are not easily distinguishable from real content.
viraptor|5 years ago
Correct, because first-party / third-party is not a technical difference, but a social/commercial one. The app.example.com may run in a different cloud and be part of the same first-party service.
andrenotgiant|5 years ago
lukevp|5 years ago
AFAIK, cloudflare only flattens CNAMEs at the root level, and that’s because CNAMEs at the root are not a standard. They have to convert it to an A record to be standards compliant.
JMTQp8lwXL|5 years ago
rndomsrmn|5 years ago
DNSCrypt-proxy (and even pihole these days I believe) are actually capable of blocking forwarded CNAME requests. Setting up such system for network wide adblocking is not complicated at all, see: https://github.com/notracking/hosts-blocklists/wiki/Install-...
Terretta|5 years ago
“Other tracking countermeasures operate as a DNS resolver, and return a bogus IP address, e.g. 127.0.0.1 when the domain name matches an entry from the blocklist. As this defense works at the DNS level, these can also consider all the intermediary resolutions to CNAME records, and return a bogus IP address if any of them resolve to a domain on the blocklist. Examples of DNS-based anti-tracking measures that adopted defenses against CNAME cloaking include NextDNS [42], AdGuard [4], and Pi-hole [50].”
It’s worth reading NextDNS’s discussion on how this is implemented, and the differences between their approach, AdGuard’s, and pihole’s:
https://medium.com/nextdns/nextdns-added-cname-uncloaking-su...
If you have NextDNS configured with the AdGuard base filter set, www.cultofmac.com is blocked for being CNAMED to www-cultofmac-com.ezoic.net which in turn is blocked by the AdGuard base filter. In this case, ezoic is an ad-optimizing content management system (CMS).
Here’s a wiki for setup for most routers, see Supported Platforms at the bottom:
Wiki: https://github.com/nextdns/nextdns/wiki
Splash page: https://nextdns.io/
Setup: https://my.nextdns.io/start
For iOS families, NextDNS now supports Apple Configuration Profiles to enforce Encrypted DNS at the policy level, no software to install or manual settings: https://apple.nextdns.io/
AZ-X|5 years ago
[deleted]
Hnrobert42|5 years ago
https://news.ycombinator.com/item?id=26269573
https://news.ycombinator.com/item?id=21604825
https://news.ycombinator.com/item?id=26239304
dec0dedab0de|5 years ago
mikeiz404|5 years ago
The only way to stop this permanently is to address the root cause. As far as I can tell that would be through permissioned browser api access. The UX might become a bit unwieldy though Google’s idea of limiting the number of bits of identifying info revealed might be a way around that.
But then there is the issue of sites blocking access when more bits of identity are not given. This would lead to another cat and mouse game of tricking sites into thinking they are getting globally useful identity bits and the sites trying to counter this. This might be an easier game to play for the users where they randomly generate and isolate this data per domain or container but I’m not sure.
ThePhysicist|5 years ago
The security aspect is valid too, though I'm not sure if it's much worse than allowing a third party to put arbitrary Javascript on your website in the first place (as almost none of the trackers support integrity tags or self-hosting of analytics scripts). Of course those scripts don't get access to HTTPOnly cookies, which the server API will get when using such a CNAME script.
A solution would be to have your website on a subdomain itself (e.g. www), which was best practice for a while but got abandoned for the sake of brevity with most sites.
sofixa|5 years ago
That's because you're confusing tracking, which is e.g. Google tracking your behaviour across different websites to decide what you like and what adds you might click, and website analytics, which is making statistics on what type of people ( location, language, browser, mobile/PC, from where) visit your website. Privacy concious analytics doesn't track it, it only aggregates who you are so that the website owner can make decisions ( the mobile version is useless because all users come from PCs, optimising for Safari isn't needed since no users use Apple devices, etc.). It's unfortunate for your average site owner that you lose that data from people not wanting to be tracked, because that's really not the same thing, they're just a drive-by casualty.
strenholme|5 years ago
Indeed, I just looked at the source code, and since MaraDNS uses a hash to look up rogue IPs, this list can be arbitrary long with only memory usage going up. Because these kinds of rogue IPs are (were) rare, there is a hard-coded limit of 1,000 IPs in the source code, but that’s a one-line patch to increase to 10,000 or even 100,000 max bad IPs.
The syntax in one’s dwood3rc file to have this feature is this:
(Replace 10. IPs with the real IPs of rogue tracking sites)cortesoft|5 years ago
cookiengineer|5 years ago
The only one I know is crimeflare [1] but it's specific to cloudflare proxied malicious websites. It would be awesome to have a similar directory for second-party domains that point to known ad service IP ranges.
[1] http://www.crimeflare.org on port 82
tilolebo|5 years ago
chrismarlow9|5 years ago
nuker|5 years ago
pas|5 years ago
Also, fighting back against ... what exactly? Ads? The Big FAANG?
This is not the way. It's either beat them at their game (not likely), or building/supporting/using alternatives (eg. Signal, Mastodon, maybe substack? nebula? Librem/microG/LineageOS?), but ultimately it's politics. If "HN thinks" they are too powerful, then "HN has to" influence and persuade people in order to get laws, policies, regulations enacted that control/diminish this power. (Of course if such a grassroots movement gets powerful enough to influence legislation/policy probably at that point the market would respond too, eg. maybe Google would offer a no-track version of their services for cash, or serious competitors would emerge.)
The cynical take is of course a simple good luck, after all "HN" doesn't even have to fortitude to ditch Chrome.
(I hate ads with a passion, and use uBlock, but I don't care about tracking. Sites can and will implement it in their own backend anyway. GDPR/CCPA is the correct level to address the real problem which is handling of personal data [not IP address]. Now it's up to the market and consumer/user behavior to adjust. All these obnoxious consent forms are ripe for "disruption", yet it seems the economic/market value of not being tracked is so low, that it's hard to build a business on it. Though NextDNS is trying, but it's such a small niche, and basically solves nothing ... still, I wish them luck.
If the policy changes regarding "news" in UK/Germany/Australia were not due to bullheaded Murdoch/NewsCorp and regular old media/publishers lobbying, then that issue could be a starting point on which to build something better. But ultimately if every simple view has to be compensated, it has to be tracked.)
nerdbeere|5 years ago
namibj|5 years ago
jedisct1|5 years ago