NextDNS first to support blocking of ALL third-party trackers disguised as first-party

Olivier Poitrey
Nov 22, 2019 · 2 min read

NextDNS is proud to announce that all your blocklists are now applied to each intermediate CNAMEs in addition to the queried domain name.

As we explained in our in-depth article on the matter, DNS-based adblockers are well suited to detect and block this newish type of trackers. As a DNS recursive resolver, we already process those CNAMEs, which make it easy to perform additional filtering during resolution.

The solution is pretty simple. Let’s take as an example:

We know * is present in most tracker blocklists but not nor * obviously. A traditional adblocker would only filter on the domain visible in the URL, but because we are the ones performing the recursive resolution for the domain, we can see all intermediate CNAMEs, and apply our filtering logic on both, and

The next step is probably for tracking companies to use NS records instead of CNAMEs. But we are ready for that and will implement the same type of solution.

NextDNS is the first DNS adblocker to provide a complete and definitive solution to this problem. AdGuard decided to take a different approach, by using DNS to detect those domains and build a giant blocklist. We don’t believe in this approach, as it won’t scale as more and more websites start to implement such method. It might also lag behind if websites decide to regularly change those tracker domains.

There is also a discussion on the Pi-Hole® forum about implementing CNAME blocking just like we did, but sadly, their current design prevent them from implementing it short term as explained by one of the developers.

For browser/client based adblocking solutions, this problem is going to be very hard to handle, if even possible. Best case scenario involves performing a duplicate DNS query to get access to CNAMEs, which adds latency, wastes battery and is currently only possible in the desktop version of Firefox. Building a list of all those first-party domains is another option, but as explained earlier, this will blow up the size of the blocklists, which is already too large for most browser blocking API restrictions and may lag behind if sites regularly change those domains.

Discuss this story on HackerNews.

You can try it out for free at (no signup required).


The next-generation DNS service

Olivier Poitrey

Written by

Director of Engineering at Netflix (Open Connect); Co-Founder of Dailymotion; Co-Founder of NextDNS; Code addict



The next-generation DNS service

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade