New Restrictions on CNAME Cloaking Practices in Safari and Brave
Last year, Romain Cointepas of NextDNS explained a new technique used by web tracking providers to work around increased privacy protections in browsers:
A suitable name for this method would be CNAME Cloaking, and it is used to disguise a third-party tracker as first-party tracker. In this case, they are also purposely obfuscating this behind a random subdomain, with a CNAME to a generic and unbranded domain.
Some tracking companies, like AT Internet (formerly XiTi), are even going to great lengths to completely distance themselves from the domain used as CNAME destination. Try figuring out which company at-o.net belongs to (hidden WHOIS information and AWS IPs). This is live right now on lemonde.fr, one of the top news websites in the world, and on many other websites.
Using obfuscated identifiers seems to be the latest hotness in tracking, advertising, and ad block blockers. When Admiral, a popular anti-ad blocking service, is implemented on a website, it randomly chooses one of over a thousand domains to load its script. It is also a side effect of some website generators, like plugins for Facebook’s React framework, that create apparently random strings for classes and IDs which may be different whenever a page or site is rebuilt.
CNAME cloaking is a similar practice of masking the origin of third-party cookies through domain records and obfuscated URLs.
Cory Underwood today:
Browsers are mobilizing to combat the use of DNS CNAME records to bypass anti-tracking tech they have built in to their browsers. November is looking to be a triple whammy of developments in this area.
From the business point of view, any service using CNAMEs for cookie setting will either see that traffic disappear entirely (Brave) or have sizable reductions in lookback windows (iOS/iPadOS/Safari Big Sur).
This includes (but is not limited to) 7 days of lookback window for campaign measurement, possible increase in new users, possible loss of retention identification, and possible resegmentation of A/B testing cell assignments in scenarios where CNAME was used to set cookies.
Underwood points out that Apple itself uses CNAME cloaking on its website for Adobe Analytics. Perhaps it is unfair, but it does not look great for Apple’s technology side to ship a browser that encourages its analytics provider to find workarounds for tracking prevention at the same time its marketing side is using those same workarounds. At least Apple does not appear to be any cross-site tracking mechanisms.
Update: I corrected the description of how React and other generators work in the paragraph below the first excerpt. Thanks Ben.