Cname Cloaking: How It Works and Why You Should Care

Cname cloaking is a technique that can be used for both good and bad purposes. It involves setting up a CNAME record to point to a different domain or IP address than what's listed in the DNS records.

This can be useful for masking the true identity of a website or server, but it can also be used to hide malicious activities. In fact, CNAME cloaking is often used by spammers and phishers to disguise their websites and make them harder to track.

A CNAME record is essentially a pointer that tells your DNS server where to find the actual IP address of a website or server. By setting up a CNAME record to point to a different domain or IP address, you can effectively hide the true identity of a website or server.

Suggestion: Cloaking

CNAME cloaking is a technique used to redirect website traffic to a different server or location, typically to mask the true origin of the website.

It works by creating a CNAME record that points to a different server, allowing users to access the website from a different location.

CNAME cloaking can be used to improve website performance, availability, and security by distributing traffic across multiple servers.

This technique is often used in content delivery networks (CDNs) to cache and serve website content from edge servers closer to users.

By using CNAME cloaking, website owners can also protect their brand reputation by hiding their true IP address from users.

CNAME cloaking can be configured using DNS records, which allow website owners to specify the IP address of the server they want to redirect traffic to.

This technique is commonly used in load balancing and failover scenarios to ensure high availability and reliability of websites.

Setting cookies as accessible to all subdomains is a bad practice that can expose users to significant security risks. Many websites do this, making it easy for third-party trackers to obtain sensitive information.

One of those cookies could be an authentication cookie, which allows anyone in possession of it to impersonate the user and access private user information. This is a serious issue, as seen in the case of liberation.fr.

Oversharing cookies can lead to a loss of user privacy and security. In the post-cookie era, digital advertising is facing significant changes, but the security implications of CNAME cloaking remain a pressing concern.

Blocking trackers is a crucial step in maintaining online privacy.

Most trackers are embedded in third-party scripts, which can be blocked by using a Content Security Policy (CSP).

A CSP can be implemented by including a meta tag in the HTML header of your website, specifying which scripts are allowed to run.

This can be done using the HTTP header or the HTML meta tag.

Some websites use the "rel=noopener" attribute to prevent trackers from accessing the website's origin.

This attribute can be added to the link tag in your website's HTML.

CNAME cloaking can be a sneaky technique that tricks browsers into thinking a website is the same as its original domain. This is because the browser sees the CNAME cloaking as a subdomain of the original website.

The browser's security mechanisms can be bypassed when it comes to cookies, making it possible for sensitive information to be exposed to third parties. This is because all cookies are treated the same by the browser, regardless of their function.

During a CNAME cloaking, the browser's developer tools can reveal the browser's behavior. In one example, a cookie named "sid" was blocked by the browser, likely because it was a session cookie that didn't match the domain attribute of the original website.

The browser only sends cookies to the correct website if they have a matching domain attribute. If the attribute doesn't match, the cookie is blocked.

CNAME cloaking is a powerful technique that can be used in various scenarios. For example, it can be used to mask a website's IP address, making it difficult for hackers to target it directly.

To illustrate this, let's consider a real-world example: a company named "E-commerce Inc." uses CNAME cloaking to protect its website from attacks. By doing so, they can prevent hackers from exploiting vulnerabilities in their website's underlying infrastructure.

CNAME cloaking can be used in conjunction with other security measures to create a robust defense system. By combining CNAME cloaking with regular security updates and firewalls, website owners can significantly reduce the risk of a security breach.

LiveRamp is different from other solutions because it has nothing in common with CNAME or fingerprinting, and never has.

The company's Authenticated Traffic Solution (ATS) gives control back to publishers and consumers by providing authenticated first-party connectivity. This is a game-changer because it allows publishers to control every step of the process, integrating ATS into their first-party log-in processes.

Critically, for tighter security and to maintain consumer privacy, identifiers are encoded differently for each platform the data is sent to, and most importantly, directly identifiable personal data never leaves the publisher.

ATS is rooted in a trusted, transparent value exchange where authenticated consumers have consented to share their identity with the publisher. This means publishers maintain control over the activation and use of their data, and rebuild trusted relationships with individuals.

LiveRamp has already publicly pledged to stand against fingerprinting, and will continue to reject solutions that do not uphold consumer trust, transparency, and control. This commitment to consumer privacy is a major differentiator from other solutions.

Firefox would automatically block first-party trackers using CNAME cloaking to hide the tracking entity if it were possible.

Brave is soon to ship a feature that blocks this type of tracking.

Safari has already implemented defenses against CNAME cloaking and bounce tracking.

Trackers are increasingly using CNAME cloaking to evade tracking restrictions.

Blocking CNAMEs can have unintended consequences, such as incorrect partyness affecting heuristics.

Blocking CNAMEs also leads to trackers asking for A records in the first-party's namespace.

This is an escalation by trackers that may not be wise to escalate against.

CNAMEs can be a useful tool for solving legitimate use cases, such as third-party login providers.

However, open issues around CNAMEs can make legitimate users hesitant to use them.

TCP is now enabled for all users by default, greatly reducing the efficacy of tracking across first parties.

Let's take a look at some examples of CNAME Cloaking in action. Here's an example of how it can be used on a German eCommerce site.

It's possible that the website loads tracking JavaScript only after the consent banner has been confirmed. If you're using uBlock Origin, it might block the consent banner if a third-party tracker is involved.

uBlock Origin can also block CNAME Cloaking if it's detected. This is a good thing, but it can make it harder to see the CNAME Cloaking in action. To get around this, you can temporarily disable uBlock Origin and visit the website.

Here are some key points to keep in mind:

By disabling uBlock Origin, you can get a clearer picture of how CNAME Cloaking works. This is especially useful if you want to see the CNAME chain in action.

Fox News, Walmart, and BBC are among the websites with a large audience that are disguising third-party trackers as first-party trackers using CNAME cloaking.

The list of domains currently CNAME'ing to dnsdelegation.io, which is associated with Criteo, is extensive and includes websites such as fortuneo.fr, liberation.fr, and lemonde.fr.

Websites like coach.com, gap.com, and anntaylor.com are also found to be using this method.

A quick look at the non-exhaustive list of domains currently CNAME'ing to dnsdelegation.io shows that this is being applied to quite a few websites already.

Other notable websites that are using CNAME cloaking include cnn.com, boursorama.com, and arstechnica.com.

Websites like saksfifthavenue.com, brandalley.fr, and greenweez.com are also found to be disguising third-party trackers as first-party trackers.

Websites like t-mobile.com and statefarm.com are also using this method.