When DNS Attacks: CNAME Tracking


A new form of web-based tracking has been making its way around various internet circles. Unlike cookies, it preys on the average website owner’s ignorance of DNS. Also unlike cookies, it has negative ramifications both for site visitors and site owners.

These emails (from companies such as Criteo, WebTrek, Pardot, and many others) encourage website administrators to make a small change to “adapt their website to the evolution of browsers”. In reality, these companies are trying to get around third-party cookie restrictions present in most modern browsers. And the results are not good.

This article will attempt to be a very quick-and-dirty breakdown of what DNS is and does, and why this new kind of tracking is so bad for users and site owners.

DNS

DNS is the “domain name system” – a decentralized system responsible for keeping track of all computers on a network.

A DNS “A” record is translates a domain name (ColinDorman.com) into an IP address (173.230.129.148) which leads to a specific server where a website lives.

Other DNS records handle other functions related to a web server: “MX” records handle email servers, “TXT” records can hold encryption keys or other domain validation information, and “CNAME” records allow one domain to point to another.

CNAME Records

The emails that claim to “adapt” websites involve modifying CNAME records in unsafe ways.

CNAME stands for “Canonical Name” – it allows one domain name to point to another domain (or subdomain). This domain can then point to an IP address for a web server.

If I create a CNAME entry that points “page1.example.com” to “page2.example.com” then a person trying to visit “page1.example.com” will always be redirected to “page2.example.com“. According to DNS, “page2.example.com” is the canonical name for “page1.example.com”. To see this in action, you can enter “Relentless.com” in your browser and note where you end up.

The emails in question ask a site administrator to create CNAME record in their site’s DNS configuration pointing a gibberish subdomain of their website to an unrelated domain that handles web tracking. So, creating a CNAME record of “fghrtw.example.com” to point to “super-nosy-analytics.com“.

This does a few things – none of them good (from the site visitor or site administrator’s perspective).

  • As far as your browser is concerned, “super-nosy-analytics” is a subdomain of “example.com” (because of the CNAME record). This means that cookies set on “example.com” (or any of its subdomains) are readable by “super-nosy-analytics”.
  • Because the cookies are being sent outside of the domain they were intended for, there are a lot of privacy implications. Cookies often contain private information (such as name, email, location, session authentication, etc) that shouldn’t be shared freely.
  • With the cookies from “example.com“, the “super-nosy-analytics.com” site could easily impersonate a user from “example.com. Remember that cookies were designed to stay within a domain, and as far the browser is concerned, the CNAME entry made “super-nosy-analytics.compart ofexample.com“. If “example.com” has private or personal information (finances, email, credit cards), that information is now at much great risk.

This is not just an isolated thing happening in dark corners of the internet, either.

According to a report put together by several fantistic researchers, this kind of tracking is present on almost 10% of the top 10,000 websites (as ranked by Tranco).

(Little) Good News

There are some limited countermeasures against this kind of tracking, though.

Currently the ad-blocking plugin uBlock Origin for Firefox blocks many of these trackers.

While uBlock Origin does have a Chrome version it’s not nearly as good at CNAME blocking as the Firefox version. uBlock for Firefox blocked 8 of 13 CNAME trackers, the Chrome version blocked 4 of 8.

Safari sets the cookie experation date for CNAME-based tracking cookies to 7 days (the same as other script cookies), but doesn’t seem to offer more protection than that.

As a web user, the best thing you can do is use a modern browser with the privacy features enabled. Also, stay smart about the sites you visit. If you’re a web administrator, the best advice is don’t do anything that comes through an unsolicited email!


About Colin Dorman

Colin is a freelance horn player and teacher, as well as a fan of tech of all sorts, aviation, and increasingly complex flight simulators. He also enjoys beer, bourbon and fitness - but not at the same time. You can find him on Facebook, Twitter, as well as right here at ColinDorman.com!