ProHoster > Blog > internet news > uBlock Origin adds protection against a new tracking method that manipulates DNS names

uBlock Origin adds protection against a new tracking method that manipulates DNS names

uBlock Origin users noticed the use by ad networks and web analytics systems of a new technique for tracking movements and substitution of ad units, which is not blocked in uBlock Origin and other add-ons to filter out inappropriate content.

The essence of the method is that site owners who want to place code for tracking or displaying ads create a separate subdomain in DNS that refers to the ad network or web analytics server (for example, f7ds.liberation.fr CNAME record is created pointing to the tracking server liberation.eulerian.net). Thus, the ad code is formally downloaded from the same primary domain as the site, and therefore is not subject to blocking. The name for the subdomain is chosen in the form of a random identifier, which makes blocking by mask difficult, since the subdomain associated with the advertising network is difficult to distinguish from subdomains for loading other local resources of the page.

uBlock Origin Developer proposed use resolving name in DNS to determine the host associated via CNAME. Method implemented beginning with
experimental release uBlock Origin 1.24.1b3 for Firefox. To activate the check in the advanced settings, set the cnameAliasList value to "*", in which case all blacklist checks will be duplicated for names defined via CNAME. When you install the update, you will need to grant permissions to retrieve information from DNS.

uBlock Origin adds protection against a new tracking method that manipulates DNS names

For Chrome, the CNAME check cannot be added because the API dns.resolve() only available for add-ons in Firefox and not supported in Chrome. From a performance point of view, defining a CNAME should not lead to additional overhead, except for wasting CPU resources for re-applying the rules for a different name, since when accessing the resource, the browser has already resolved and the value must be cached. The protection method can be bypassed by directly binding the name to IP without using CNAME, but this approach complicates maintenance (in case of changing the IP address of the advertising network, you will need to achieve data changes on all DNS servers of the publishers) and can be bypassed by creating a blacklist tracker IP addresses.

Source: opennet.ru

Add a comment