DNS: Tracking mitigation upended

DNS ad-based tracking gets a boost

On 11/22/2019, the co-founder of NextDNS posted an article (https://medium.com/nextdns/cname-cloaking-the-dangerous-disguise-of-third-party-trackers-195205dc522a) addressing 3rd-party tracking capabilities with DNS. If you haven’t read it yet, it’s worth a read to see how far-ranging the technical challenges are. At Grey Market Labs we’re acutely aware of tracking techniques that range from simple to complex to downright scary, so this technique wasn’t a surprise. Instead it just was another step towards a future where tracking mitigation is impractical for all but the most sophisticated users.

Some DNS history and how we got here…

DNS began in the 80s when everyone on the internet more or less trusted everyone else, at least when it came to allowing computers to talk to each other. That trust was fine when the set of computers was small and trust was a reasonable expectation. There was even a single group responsible for allowing new computers and domains to connect and they manually maintained a master list. By the late 80s there were many more computers connecting to this new internet and the management overhead was untenable. Simplifying a bit, an automated system was built that allowed computers to be dynamically added to networks using the existing DNS strategy.

For a while this also worked quite well and solved the scale problem. Unfortunately, it didn’t solve the trust problem — after all, who is allowed to update this list? If anyone can update the list of computer “addresses” then anyone can change their addresses. Imagine if the phone book caused reality instead of representing reality… If the phone company misprinted your phone number in the phone book, just like that, it’s your new number. If they misprinted your street address you had to move, sorry. If they left off your phone number, you no longer have one. That’s the strength of DNS when it comes to finding computers. One can only imagine a business bribing the phone book printer to leave off a particular company or to misprint their address. I’m sure that never happened though. DNS has that ability, and there were lots of compromises that follow that analogy.

On the subject of the phone company…

Ever wonder why with caller ID on your phone, a caller is able to misrepresent who they were? Fake FBI scams have caller ID reporting “Federal Bureau of Investigations”, social security number scammers show up as “Social Security Administration”, etc. It turns out that phone companies, when they built the networks MANY years ago, they also relied on trust that was reasonable to expect then, but is not reasonable to expect now. They have made progress here but it’s yet another example of existing systems that fail (or refuse?) to evolve and are ultimately exploited.

So what exactly was Grey Market Labs expecting here?

That “single step towards a future that we believe will prevent many tracking mitigations” was the use of CNAMEs to disguise the ultimate target of a DNS request. Most DNS ad blockers (and some that are designed purposefully to prevent tracking independent of advertisements) use a blacklisting or whitelisting technique. This means that bad sites (advertisers) are blocked and good sites (the people using the advertisers but aren’t running their own ads, such as such as a news site) are allowed. Once a CNAME is set correctly, the ads appear to come directly from the news site so blocking it will prevent access to the news site itself. And it turns out big sites are actually using this already (snippet from Medium article):

foxnews.com, walmart.com, bbc.co.uk, go.com, webmd.com, washingtonpost.com, weather.com, coach.com, gap.com,  cnn.com,  arstechnica.com, saksfifthavenue.com, t-mobile.com, statefarm.com

Ultimately, if traditional DNS blockers come up with a way around the problem that NextDNS mentioned, that’s great! It really is a solution that’s mostly dealt with at the DNS layer. But tracking and advertising companies have more steps lined up to enable these news sites (any site really) to win the tracking game. One such step is by using a proxy. By adding a proxy the traffic can be made to appear to originate from our example news site directly, which will prevent DNS-related blocking (and CNAME cloaking mitigation) from working. Try not to forget that the primary reason companies continue to push the boundaries of ad-tech is to make money.

Fortunately, our Opaque line of products is already capable of dealing with this, and many other innumerable challenges, in a future-resilient way. The best part is, administrators/gurus/users don’t have to bother with changing DNS providers, updating configurations, or applying security patches–that’s all our job.

So, which advertiser/tracking database is your activity stored in? When is the last time you saw a meaningful (or any) report about your DNS usage?