1. bookVolume 2021 (2021): Issue 3 (July 2021)
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

The CNAME of the Game: Large-scale Analysis of DNS-based Tracking Evasion

Published Online: 27 Apr 2021
Page range: 394 - 412
Received: 30 Nov 2020
Accepted: 16 Mar 2021
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Abstract

Online tracking is a whack-a-mole game between trackers who build and monetize behavioral user profiles through intrusive data collection, and anti-tracking mechanisms that are deployed as browser extensions, DNS resolvers, or built-in to the browser. As a response to pervasive and opaque online tracking, more and more users adopt anti-tracking measures to preserve their privacy. Consequently, as the information that trackers can gather on users is being curbed, some trackers are looking for ways to evade these protections. In this paper we report on a large-scale longitudinal evaluation of an anti-tracking evasion scheme that leverages CNAME records to include tracker resources in a same-site context, which effectively bypasses anti-tracking measures that rely on fixed hostname-based block lists. Using historical HTTP Archive data we find that this tracking scheme is rapidly gaining traction, especially among high-traffic websites. Furthermore, we report on several privacy and security issues inherent to the technical setup of CNAME-based tracking that we detected through a combination of automated and manual analyses. We find that some trackers are using the technique against the Safari browser, which is known to include strict anti-tracking configurations. Our findings show that websites using CNAME trackers must take extra precautions to avoid leaking sensitive information to third parties.

Keywords

[1] 2019. Intelligent Tracking Prevention 2.1. https://webkit.org/blog/8613/intelligent-tracking-prevention-2-1 [Online; accessed 24. Feb. 2021].Search in Google Scholar

[2] 2020. CNAME Cloaking and Bounce Tracking Defense. https://webkit.org/blog/11338/cname-cloaking-and-bounce-tracking-defense [Online; accessed 23. Feb. 2021].Search in Google Scholar

[3] 2020. What’s Brave Done For My Privacy Lately? Episode #6: Fighting CNAME Trickery | Brave Browser. https://brave.com/privacy-updates-6 [Online; accessed 23. Feb. 2021].Search in Google Scholar

[4] 2021. 1598969 - Block trackers using CNAME Cloaking (1st-party tracker blocking). https://bugzilla.mozilla.org/show_bug.cgi?id=1598969 [Online; accessed 24. Feb. 2021].Search in Google Scholar

[5] Lawrence Abrams. 2019. uBlock Origin Now Blocks Sneaky First-Party Trackers in Firefox. https://www.bleepingcomputer.com/news/security/ublock-origin-now-blocks-sneaky-first-party-trackers-in-firefox/.Search in Google Scholar

[6] Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. 2014. The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS ’14). ACM, New York, NY, USA, 674–689. https://doi.org/10.1145/2660267.2660347Search in Google Scholar

[7] Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, and Bart Preneel. 2013. FPDetective: dusting the web for fingerprinters. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. 1129–1140.Search in Google Scholar

[8] AdGuard. 2019. Disguised trackers threat and how we will address it. https://adguard.com/en/blog/disguised-trackers.html.Search in Google Scholar

[9] Adobe Experience Cloud. 2019. Adobe Experience Cloud Release Notes - October 2019. https://docs.adobe.com/content/help/en/release-notes/experience-cloud/previous/2019/10102019.html.Search in Google Scholar

[10] HTTP Archive. 2020. State Of The Web Report. http://httparchive.org/.Search in Google Scholar

[11] Mika D Ayenson, Dietrich James Wambach, Ashkan Soltani, Nathan Good, and Chris Jay Hoofnagle. 2011. Flash cookies and privacy II: Now with HTML5 and ETag respawning. Available at SSRN 1898390 (2011).Search in Google Scholar

[12] Muhammad Ahmad Bashir, Sajjad Arshad, Engin Kirda, William Robertson, and Christo Wilson. 2018. How tracking companies circumvented ad blockers using websockets. In Proceedings of the Internet Measurement Conference 2018. ACM, 471–477.Search in Google Scholar

[13] Jason Bau, Jonathan Mayer, Hristo Paskov, and John C Mitchell. 2013. A promising direction for web tracking countermeasures. Proceedings of W2SP (2013).Search in Google Scholar

[14] Omar Benguerah. 2017. Setting first-party cookies by redirection. US Patent 9,723,051.Search in Google Scholar

[15] Google Chrome. 2020. Cookies default to Same-Site=Lax. https://www.chromestatus.com/feature/5088147346030592.Search in Google Scholar

[16] Cloudflare. 2020. Understanding the Cloudflare Cookies. https://support.cloudflare.com/hc/en-us/articles/200170156-Understanding-the-Cloudflare-Cookies.Search in Google Scholar

[17] Romain Cointepas. 2019. CNAME Cloaking, the dangerous disguise of third-party trackers. https://medium.com/nextdns/cname-cloaking-the-dangerous-disguise-of-third-party-trackers-195205dc522a.Search in Google Scholar

[18] Ha Dao, Johan Mazel, and Kensuke Fukuda. 2020. Characterizing CNAME Cloaking-Based Tracking on the Web. In Proceedings of IFIP/IEEE Traffic Measurement Analysis Conference (TMA). 9 pages.Search in Google Scholar

[19] Sanorita Dey, Nirupam Roy, Wenyuan Xu, Romit Roy Choudhury, and Srihari Nelakuditi. 2014. AccelPrint: Imperfections of Accelerometers Make Smartphones Trackable.. In NDSS. Citeseer.Search in Google Scholar

[20] Disconnect. 2020. Privacy Solutions. https://disconnect.me/.Search in Google Scholar

[21] duckduckgo. 2020. tracker-radar-collector. https://github.com/duckduckgo/tracker-radar-collector [Online; accessed 10. Jun. 2020].Search in Google Scholar

[22] EasyPrivacy. 2020. Filter List That Completely Removes All Forms Of Tracking From The Internet. https://easylist.to/index.html.Search in Google Scholar

[23] Peter Eckersley. 2010. How unique is your web browser?. In International Symposium on Privacy Enhancing Technologies Symposium. Springer, 1–18.Search in Google Scholar

[24] Steven Englehardt and Arvind Narayanan. 2016. Online tracking: A 1-million-site measurement and analysis. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. 1388–1401.Search in Google Scholar

[25] Steven Englehardt, Dillon Reisman, Christian Eubank, Peter Zimmerman, Jonathan Mayer, Arvind Narayanan, and Edward W Felten. 2015. Cookies that give you away: The surveillance implications of web tracking. In Proceedings of the 24th International Conference on World Wide Web. 289–299.Search in Google Scholar

[26] Brent Fulgham. 2018. Protecting Against HSTS Abuse. https://webkit.org/blog/8146/protecting-against-hsts-abuse.Search in Google Scholar

[27] Raymond Hill. 2020. uBlock Origin - 1.25.0. https://github.com/gorhill/uBlock/releases/tag/1.25.0.Search in Google Scholar

[28] Umar Iqbal, Steven Englehardt, and Zubair Shafiq. 2020. Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors. arXiv preprint arXiv:2008.04480 (2020).Search in Google Scholar

[29] Samy Kamkar. 2010. Evercookie-virtually irrevocable persistent cookies. His Blog 9 (2010).Search in Google Scholar

[30] Arjaldo Karaj, Sam Macbeth, Rémi Berson, and Josep M Pujol. 2018. WhoTracks. Me: Shedding light on the opaque world of online tracking. arXiv preprint arXiv:1804.08959 (2018).Search in Google Scholar

[31] Mitja Kolšek. 2002. Session fixation vulnerability in web-based applications. Acros Security 7 (2002).Search in Google Scholar

[32] Balachander Krishnamurthy and Craig Wills. 2009. Privacy diffusion on the web: a longitudinal perspective. In Proceedings of the 18th international conference on World wide web. ACM, 541–550.Search in Google Scholar

[33] Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczy«ski, and Wouter Joosen. 2019. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. In Proceedings of the 26th Annual Network and Distributed System Security Symposium (NDSS 2019). https://doi.org/10.14722/ndss.2019.23386Search in Google Scholar

[34] Adam Lerner, Anna Kornfeld Simpson, Tadayoshi Kohno, and Franziska Roesner. 2016. Internet jones and the raiders of the lost trackers: An archaeological study of web tracking from 1996 to 2016. In 25th {USENIX} Security Symposium ({USENIX} Security 16).Search in Google Scholar

[35] Scott Low and Joe Martin. 2020. Tracking Prevention in Microsoft Edge (Chromium). https://docs.microsoft.com/en-us/microsoft-edge/web-platform/tracking-prevention.Search in Google Scholar

[36] Andrea Marchesini. 2019. Enable sameSite=lax by default on Nightly. https://bugzilla.mozilla.org/show_bug.cgi?id=1604212.Search in Google Scholar

[37] Vasilios Mavroudis, Shuang Hao, Yanick Fratantonio, Federico Maggi, Christopher Kruegel, and Giovanni Vigna. 2017. On the privacy and security of the ultrasound ecosystem. Proceedings on Privacy Enhancing Technologies 2017, 2 (2017), 95–112.Search in Google Scholar

[38] Jonathan R Mayer and John C Mitchell. 2012. Third-party web tracking: Policy and technology. In 2012 IEEE Symposium on Security and Privacy. IEEE, 413–427.Search in Google Scholar

[39] Keaton Mowery and Hovav Shacham. 2012. Pixel perfect: Fingerprinting canvas in HTML5. Proceedings of W2SP (2012), 1–12.Search in Google Scholar

[40] NextDNS. 2020. CNAME Cloaking Blocklist. https://github.com/nextdns/cname-cloaking-blocklist.Search in Google Scholar

[41] NextDNS. 2020. NextDNS CNAME Cloaking Blocklist. https://github.com/nextdns/cname-cloaking-blocklist.Search in Google Scholar

[42] Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2013. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In 2013 IEEE Symposium on Security and Privacy. IEEE, 541–555.Search in Google Scholar

[43] Lukasz Olejnik and Claude Castelluccia. 2014. Analysis of openx-publishers cooperation. In In 7th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2014).Search in Google Scholar

[44] Lukasz Olejnik, Tran Minh-Dung, and Claude Castelluccia. 2014. Selling off privacy at auction. In In Proceedings of the 2014 Symposium on Network and Distributed System Security.Search in Google Scholar

[45] Mike O’Neill. 2015. Discovered In The Wild: A New Method Bypassing Safari’s Third-Party Cookie Blocking. https://baycloud.com/blog/PostDetail?slug=discovered-in-the-wild-a-new-method-bypassing-safaris-third-party-cookie-blocking.Search in Google Scholar

[46] Panagiotis Papadopoulos, Nicolas Kourtellis, and Evangelos Markatos. 2019. Cookie synchronization: Everything you always wanted to know but were afraid to ask. In The World Wide Web Conference. 1432–1442.Search in Google Scholar

[47] Olivier Poitrey. 2019. NextDNS first to support blocking of ALL third-party trackers disguised as first-party. https://medium.com/nextdns/nextdns-added-cname-uncloaking-support-becomes-the-first-cross-platform-solution-to-the-problem-e3f437f84342.Search in Google Scholar

[48] Chrome DevTools Protocol. 2020. Instrument, Inspect, Debug And Profile Chromium. https://chromedevtools.github.io/devtools-protocol/.Search in Google Scholar

[49] Rapid7. 2020. DNS ’ANY’, ’A’, ’AAAA’, ’TXT’, ’MX’, and ’CNAME’ responses for known forward DNS names. https://opendata.rapid7.com/sonar.fdns_v2/.Search in Google Scholar

[50] Rapid7. 2020. DNS IPv4 PTR responses. https://opendata.rapid7.com/sonar.rdns_v2/.Search in Google Scholar

[51] Michael Schrank, Bastian Braun, Martin Johns, and Joachim Posegga. 2010. Session fixation–the forgotten vulnerability? Sicherheit 2010. Sicherheit, Schutz und Zuverlässigkeit (2010).Search in Google Scholar

[52] SourcePoint. 2020. Consent Management Platform. https://help.sourcepoint.com/en/collections/1255107-consent-management-platform.Search in Google Scholar

[53] Alan Toner. 2017. Safari in Arms Race Against Trackers -Criteo Feels the Heat. https://www.eff.org/deeplinks/2017/12/arms-race-against-trackers-safari-leads-criteo-30.Search in Google Scholar

[54] Security Trails. 2020. Robust APIs & Data Services for Security Teams. https://securitytrails.com/.Search in Google Scholar

[55] Pelayo Vallina, Victor Le Pochat, Álvaro Feal, Marius Paraschiv, Julien Gamba, Tim Burke, Oliver Hohlfeld, Juan Tapiador, and Narseo Vallina-Rodriguez. 2020. Mis-shapes, Mistakes, Misfits: An Analysis of Domain Classification Services. In Proceedings of the 2020 Internet Measurement Conference (IMC 2020). https://doi.org/10.1145/3419394.3423660Search in Google Scholar

[56] Adam Warner. 2020. Pi-hole v5.0 is here! https://pi-hole.net/2020/05/10/pi-hole-v5-0-is-here/.Search in Google Scholar

[57] Mike West. 2020. Incrementally Better Cookies. https://tools.ietf.org/html/draft-west-cookie-incrementalism-01.Search in Google Scholar

[58] WhoTracks.me. 2018. GDPR - What happened? https://whotracks.me/blog/gdpr-what-happened.html.Search in Google Scholar

[59] Whoxy. 2020. WHOIS Lookup API for Domain Names. https://www.whoxy.com/.Search in Google Scholar

[60] John Wilander. 2020. Full Third-Party Cookie Blocking and More. https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/.Search in Google Scholar

[61] Marissa Wood. 2019. Today’s Firefox Blocks Third-Party Tracking Cookies and Cryptomining by Default. https://blog.mozilla.org/blog/2019/09/03/todays-firefox-blocks-third-party-tracking-cookies-and-cryptomining-by-default/.Search in Google Scholar

[62] Ting-Fang Yen, Yinglian Xie, Fang Yu, Roger Peng Yu, and Martin Abadi. 2012. Host Fingerprinting and Tracking on the Web: Privacy and Security Implications.. In NDSS, Vol. 62. 66.Search in Google Scholar

[63] ZDNS. 2020. Command-line Utility That Provides High-speed DNS Lookups. https://github.com/zmap/zdns.Search in Google Scholar

[64] Jiexin Zhang, Alastair R. Beresford, and Ian Sheret. 2019. SensorID: Sensor Calibration Fingerprinting for Smartphones. In Proceedings of the 40th IEEE Symposium on Security and Privacy (SP). IEEE.Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo