The CNAME of the Game: Large-scale Analysis of DNS-based Tracking Evasion

Authors: Yana Dimova (imec-DistriNet, KU Leuven), Gunes Acar (imec-COSIC, KU Leuven), Lukasz Olejnik (European Data Protection Supervisor, independent researcher), Wouter Joosen (imec-DistriNet), Tom Van Goethem (imec-DistriNet)

Volume: 2021
Issue: 3
Pages: 394–412
DOI: https://doi.org/10.2478/popets-2021-0053

Download PDF

Abstract: Online tracking is a whack-a-mole game between trackers who build and monetize behavioral user profiles through intrusive data collection, and antitracking mechanisms that are deployed as browser extensions, DNS resolvers, or built-in to the browser. As a response to pervasive and opaque online tracking, more and more users adopt anti-tracking measures to preserve their privacy. Consequently, as the information that trackers can gather on users is being curbed, some trackers are looking for ways to evade these protections. In this paper we report on a large-scale longitudinal evaluation of an anti-tracking evasion scheme that leverages CNAME records to include tracker resources in a same-site context, which effectively bypasses antitracking measures that rely on fixed hostname-based block lists. Using historical HTTP Archive data we find that this tracking scheme is rapidly gaining traction, especially among high-traffic websites. Furthermore, we report on several privacy and security issues inherent to the technical setup of CNAME-based tracking that we detected through a combination of automated and manual analyses. We find that some trackers are using the technique against the Safari browser, which is known to include strict anti-tracking configurations. Our findings show that websites using CNAME trackers must take extra precautions to avoid leaking sensitive information to third parties.

Keywords: tracking, CNAME, evasion

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs license.