According to researchers at Cornell University, there is a new large-scale anti-tracking evasion scheme that leverages CNAME records to include tracker resources in a same-site context, otherwise known as CNAME Cloaking, which effectively helps them to bypass anti-tracking measures that use fixed hostname-based block lists.
And this tracking scheme is gaining huge traction among high-traffic websites, with several privacy and security issues inherent to the CNAME-based tracking, which the researchers detected through a combination of automated and manual analyses.
Some online trackers are already using the technique against Safari browser, which recently added strict anti-tracking systems in place.
Why Online Trackers are Switching to Evasive CNAME Cloaking Technique
The rise of cookie-killing browser barriers put in place by the major browser vendors to enhance users privacy, makes it increasingly daunting on marketers to look for new techniques to evade the anti-tracking mechanisms employed by browser vendors.
The CNAME cloaking is perhaps the latest evasive technique, whereby websites use first-party subdomains as their aliases for third-party tracking domains through the CNAME records in the DNS configuration to circumvent online tracker-blockers.
As DNS records allow for mapping a domain or subdomain to another, that is an alias, it makes them ideal means to sneak tracking code as a first-party subdomain. Thus, CNAME cloaking allows tracking code to look like first-party when it is not, with resources resolving through a CNAME that differs from the first party domain.
How the Major Browsers look to Mitigate CNAME Cloaking
Mozilla had been a major advocate of the browser-side protection that block websites from following web users online, which online tracking has been proven to benefit advertisers who target specific users, even though it invades their privacy.
Although Mozilla Firefox for now doesn't block CNAME cloaking out of the box, but users can use add-on like uBlock Origin to block any first-party tracker. But, the company has began the roll out of Firefox 86 which boasts of such privacy features as Total Cookie Protection that prevents every cross-site tracking by "confin[ing] all the cookies from each website in a separate cookie jar."
Apple on it's part has released iOS 14.4 with additional safeguards for Safari browser that build upon its ITP feature to shield third-party CNAME cloaking, albeit it does not yet offer a means to unmask and block the tracker domain.