Open in app

Sign in

Write

Sign in

NextDNS first to support blocking of ALL third-party trackers disguised as first-party

Olivier Poitrey
NextDNS
Published in
2 min readNov 22, 2019

NextDNS is proud to announce that all your blocklists are now applied to each intermediate CNAMEs in addition to the queried domain name.

As we explained in our in-depth article on the matter, DNS-based adblockers are well suited to detect and block this newish type of trackers. As a DNS recursive resolver, we already process those CNAMEs, which make it easy to perform additional filtering during resolution.

The solution is pretty simple. Let’s take https://eule1.pmu.fr/... as an example:

We know *.eulerian.net is present in most tracker blocklists but not eul1.pmu.fr nor *.pmu.fr obviously. A traditional adblocker would only filter on the domain visible in the URL, but because we are the ones performing the recursive resolution for the domain, we can see all intermediate CNAMEs, and apply our filtering logic on both eul1.pmu.fr, and pmu.eulerian.net.

The next step is probably for tracking companies to use NS records instead of CNAMEs. But we are ready for that and will implement the same type of solution.

NextDNS is the first DNS adblocker to provide a complete and definitive solution to this problem. AdGuard decided to take a different approach, by using DNS to detect those domains and build a giant blocklist. We don’t believe in this approach, as it won’t scale as more and more websites start to implement such method. It might also lag behind if websites decide to regularly change those tracker domains.

There is also a discussion on the Pi-Hole® forum about implementing CNAME blocking just like we did, but sadly, their current design prevent them from implementing it short term as explained by one of the developers.

For browser/client based adblocking solutions, this problem is going to be very hard to handle, if even possible. Best case scenario involves performing a duplicate DNS query to get access to CNAMEs, which adds latency, wastes battery and is currently only possible in the desktop version of Firefox. Building a list of all those first-party domains is another option, but as explained earlier, this will blow up the size of the blocklists, which is already too large for most browser blocking API restrictions and may lag behind if sites regularly change those domains.

Discuss this story on HackerNews.

You can try it out for free at https://nextdns.io (no signup required).

Adblock
Privacy
DNS

--

--

Olivier Poitrey
NextDNS

Written by Olivier Poitrey

781 Followers
Editor for

Director of Engineering at Netflix (Open Connect); Co-Founder of Dailymotion; Co-Founder of NextDNS; Code addict https://github.com/rs

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams