The New Evasion Technique
Browsers got better at blocking third-party cookies and tracking scripts. So the ad-tech industry adapted with a clever trick: make third-party trackers look like first-party.
CNAME cloaking uses DNS records to disguise tracking domains as subdomains of the website you're visiting. Your browser sees "analytics.news-site.com" — but it actually points to "tracker-company.com".
BYPASS ALERT: CNAME cloaking defeats most browser privacy features. Safari ITP, Firefox ETP, and standard ad blockers often fail to detect these disguised trackers.
How CNAME Cloaking Works
Normal Third-Party Tracking
You visit: news-site.com
Page loads script from: tracker-company.com/script.js
^^^^^^^^^^^^^^^^^^^
THIRD-PARTY DOMAIN
Browser says: "That's a third-party tracker!"
→ Blocks cookies
→ Applies privacy restrictions
→ May block entirelyWith CNAME Cloaking
You visit: news-site.com
DNS Configuration (set by news-site.com):
┌─────────────────────────────────────────────────────┐
│ analytics.news-site.com CNAME tracker.tracker.net│
│ ^^^^^ │
│ DNS alias pointing to │
│ third-party server │
└─────────────────────────────────────────────────────┘
Page loads script from: analytics.news-site.com/script.js
^^^^^^^^^^^^^^^^^^^^^^^
LOOKS LIKE FIRST-PARTY!
Browser says: "That's the same domain, must be safe!"
→ Full cookie access
→ No privacy restrictions
→ Not blocked
ACTUAL SERVER: tracker-company.com (third-party!)
Result: Tracker gets first-party privileges through DNS magicWhy This Is Dangerous
First-Party Cookie Access
The disguised tracker can read and write first-party cookies. Your authentication tokens, session IDs—potentially accessible.
Bypasses ITP/ETP
Safari's Intelligent Tracking Prevention and Firefox's Enhanced Tracking Protection rely on domain-based blocking. CNAME breaks this model.
Ad Blockers Blind
Standard blocklist-based ad blockers can't detect CNAME cloaking without DNS-level inspection. The domain looks legitimate.
Cross-Site Data Leakage
If the same tracker is CNAME'd across multiple sites, they can correlate your activity using first-party cookie access.
Known CNAME Cloaking Providers
Research has identified numerous companies offering CNAME-based tracking:
| Provider | Type | Example CNAME |
|---|---|---|
| Adobe Analytics | Analytics | metrics.*.com → 2o7.net |
| Criteo | Retargeting | *.criteo.com variants |
| Eulerian | Attribution | *.eulerian.net |
| Keyade | Analytics | *.k.keyade.com |
| Pardot (Salesforce) | Marketing | go.*.com → pardot.com |
| TraceDock | Analytics | Various CNAMEs |
Research finding (2021): A study of the top 10,000 websites found that ~10% use CNAME cloaking for at least one tracking service. This number is growing.
How to Detect CNAME Cloaking
Method 1: DNS Lookup
$ dig analytics.example.com ;; ANSWER SECTION: analytics.example.com. 300 IN CNAME tracker.thirdparty.net. tracker.thirdparty.net. 300 IN A 203.0.113.42 # If CNAME points to a different domain → potential cloaking!
Method 2: Certificate Inspection
When visiting analytics.example.com:
Certificate Subject: *.thirdparty.net
^^^^^^^^^^^^^^^^
Different from the subdomain!
If the SSL certificate doesn't match the subdomain,
it's likely CNAME cloaked.Method 3: Browser DevTools
- Open DevTools → Network tab
- Look for first-party subdomain requests
- Check the "Remote Address" column
- If it resolves to a known tracker IP → cloaking detected
Technical Deep Dive
The DNS Resolution Chain
Browser requests: analytics.news-site.com DNS Resolution: 1. Browser → Local DNS Resolver "What is analytics.news-site.com?" 2. Resolver → news-site.com Authoritative DNS Response: CNAME → tracking.adtech-corp.com 3. Resolver → adtech-corp.com Authoritative DNS Response: A → 198.51.100.50 (tracker server IP) 4. Resolver → Browser "analytics.news-site.com is 198.51.100.50" 5. Browser → 198.51.100.50 HTTP Request with Origin: news-site.com Cookies: First-party cookies from news-site.com! The browser never sees the CNAME chain. It just gets an IP address and trusts the domain.
Security Implications
- Cookie scope issues: If news-site.com sets cookies without the
__Host-prefix, the cloaked tracker can access them. - CSP bypass: Content Security Policy allows "*.news-site.com" but can't distinguish cloaked third-parties.
- SameSite=Lax bypass: Cookies meant only for same-site requests get sent to the disguised tracker.
Defense Strategies
Firefox + uBlock Origin
Recent versions of uBlock Origin can detect CNAME cloaking by resolving DNS before applying blocklists. Enable "uncloak canonical names" in settings.
Safari 14+ / WebKit
Apple added CNAME cloaking detection to Safari. Third-party CNAME records are now resolved and blocked if on tracking lists.
Pi-hole / NextDNS
DNS-level blockers can detect CNAME chains and block known tracking endpoints regardless of the alias used. Network-wide protection.
Brave Browser
Brave's built-in shields include CNAME uncloaking for known trackers. Good protection but not as comprehensive as uBlock + Firefox.
Chrome Users: Limited Options
Chrome's extension API doesn't allow DNS resolution before requests. uBlock Origin on Chrome cannot detect CNAME cloaking. Consider switching browsers or using network-level DNS blocking.
The Bigger Picture
CNAME cloaking represents an arms race escalation. As browsers improve privacy protections, the tracking industry develops more sophisticated evasion techniques.
What's next? Server-side tracking (completely invisible to browsers), device fingerprinting, and identity graphs that don't need cookies at all. Privacy is a moving target.
Recommendations
- 1. Use Firefox with uBlock Origin (CNAME uncloaking enabled)
- 2. Consider a DNS-level blocker (Pi-hole, NextDNS, AdGuard Home)
- 3. Enable Firefox's Enhanced Tracking Protection (Strict mode)
- 4. Regularly check subdomains on sites you visit
- 5. Stay informed—new techniques emerge constantly