Published in


NextDNS first to support blocking of ALL third-party trackers disguised as first-party

NextDNS is proud to announce that all your blocklists are now applied to each intermediate CNAMEs in addition to the queried domain name.

As we explained in our in-depth article on the matter, DNS-based adblockers are well suited to detect and block this newish type of trackers. As a DNS recursive resolver, we already process those CNAMEs, which make it easy to perform additional filtering during resolution.

The solution is pretty simple. Let’s take as an example:

We know * is present in most tracker blocklists but not nor * obviously. A traditional adblocker would only filter on the domain visible in the URL, but because we are the ones performing the recursive resolution for the domain, we can see all intermediate CNAMEs, and apply our filtering logic on both, and

The next step is probably for tracking companies to use NS records instead of CNAMEs. But we are ready for that and will implement the same type of solution.

NextDNS is the first DNS adblocker to provide a complete and definitive solution to this problem. AdGuard decided to take a different approach, by using DNS to detect those domains and build a giant blocklist. We don’t believe in this approach, as it won’t scale as more and more websites start to implement such method. It might also lag behind if websites decide to regularly change those tracker domains.

There is also a discussion on the Pi-Hole® forum about implementing CNAME blocking just like we did, but sadly, their current design prevent them from implementing it short term as explained by one of the developers.

For browser/client based adblocking solutions, this problem is going to be very hard to handle, if even possible. Best case scenario involves performing a duplicate DNS query to get access to CNAMEs, which adds latency, wastes battery and is currently only possible in the desktop version of Firefox. Building a list of all those first-party domains is another option, but as explained earlier, this will blow up the size of the blocklists, which is already too large for most browser blocking API restrictions and may lag behind if sites regularly change those domains.

Discuss this story on HackerNews.

You can try it out for free at (no signup required).

The next-generation DNS service

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Olivier Poitrey

Olivier Poitrey

Director of Engineering at Netflix (Open Connect); Co-Founder of Dailymotion; Co-Founder of NextDNS; Code addict

More from Medium

Who is my PC talking to?

Russian Cyberattacks Are On The Rise: Here is How You Can Help Keep Your Data Secure

Hook, Line & Wordle — What Wordle Can Teach Us About Cybersecurity Influencing

OpenRMF Professional v2.8 Released!