ProHoster > Blog > internet news > uBlock Origin 1.25 released with protection against block bypass via DNS manipulation

uBlock Origin 1.25 released with protection against block bypass via DNS manipulation

Available new release of inappropriate content blocker uBlock Origin 1.25, which provides blocking of ads, malicious elements, code for tracking movement, JavaScript miners and other elements that interfere with normal operation. The uBlock Origin add-on is a high performance and memory efficient add-on that allows you not only to get rid of annoying elements, but also to reduce resource consumption and speed up page loading.

In the new version, Firefox users are provided with a blocking of a new technique for tracking movement and substitution of ad units, based on the creation of a separate subdomain in the DNS within the domain of the current site. The created subdomain points to the ad network server (for example, f7ds.liberation.fr CNAME record is created pointing to the tracking server liberation.eulerian.net), so the ad code is formally loaded from the same primary domain as the site. The name for the subdomain is chosen in the form of a random identifier, which makes blocking by mask difficult, since the subdomain associated with the advertising network is difficult to distinguish from subdomains for loading other local resources of the page.

In the new version of uBlock Origin, to determine the host associated via CNAME added call for resolving name in DNS, which allows block lists to be applied to names redirected via CNAME as well.
From a performance point of view, defining a CNAME should not introduce additional overhead, other than wasting CPU resources for re-applying the rules for a different name, since the browser has already resolved when accessing the resource, and the value must be cached. When you install a new version, you will need to grant permissions to retrieve information from DNS.

uBlock Origin 1.25 released with protection against block bypass via DNS manipulation

The added security method based on CNAME validation can be bypassed by directly binding the name to IP without using CNAME, but this approach complicates the maintenance and maintenance of the infrastructure (if the IP address of the ad network changes, you will need to achieve data change on all publishers DNS servers) and can be bypassed by creating a blacklist of tracker IP addresses. In uBlock Origin build for Chrome, CNAME check doesn't work because API dns.resolve() only available for add-ons in Firefox and not supported in Chrome.

Source: opennet.ru

Add a comment