NextDNS first to support blocking of ALL third-party trackers disguised as first-party

Olivier Poitrey
Nov 22, 2019 · 2 min read

NextDNS is proud to announce that all your blocklists are now applied to each intermediate CNAMEs in addition to the queried domain name.

As we explained in our in-depth article on the matter, DNS-based adblockers are well suited to detect and block this newish type of trackers. As a DNS recursive resolver, we already process those CNAMEs, which make it easy to perform additional filtering during resolution.

The solution is pretty simple. Let’s take https://eule1.pmu.fr/... as an example:

Image for post
Image for post

We know *.eulerian.net is present in most tracker blocklists but not eul1.pmu.fr nor *.pmu.fr obviously. A traditional adblocker would only filter on the domain visible in the URL, but because we are the ones performing the recursive resolution for the domain, we can see all intermediate CNAMEs, and apply our filtering logic on both eul1.pmu.fr, and pmu.eulerian.net.

The next step is probably for tracking companies to use NS records instead of CNAMEs. But we are ready for that and will implement the same type of solution.

NextDNS is the first DNS adblocker to provide a complete and definitive solution to this problem. AdGuard decided to take a different approach, by using DNS to detect those domains and build a giant blocklist. We don’t believe in this approach, as it won’t scale as more and more websites start to implement such method. It might also lag behind if websites decide to regularly change those tracker domains.

There is also a discussion on the Pi-Hole® forum about implementing CNAME blocking just like we did, but sadly, their current design prevent them from implementing it short term as explained by one of the developers.

For browser/client based adblocking solutions, this problem is going to be very hard to handle, if even possible. Best case scenario involves performing a duplicate DNS query to get access to CNAMEs, which adds latency, wastes battery and is currently only possible in the desktop version of Firefox. Building a list of all those first-party domains is another option, but as explained earlier, this will blow up the size of the blocklists, which is already too large for most browser blocking API restrictions and may lag behind if sites regularly change those domains.

Discuss this story on HackerNews.

You can try it out for free at https://nextdns.io (no signup required).

NextDNS

The next-generation DNS service

Olivier Poitrey

Written by

Director of Engineering at Netflix (Open Connect); Co-Founder of Dailymotion; Co-Founder of NextDNS; Code addict https://github.com/rs

NextDNS

NextDNS

The next-generation DNS service

Olivier Poitrey

Written by

Director of Engineering at Netflix (Open Connect); Co-Founder of Dailymotion; Co-Founder of NextDNS; Code addict https://github.com/rs

NextDNS

NextDNS

The next-generation DNS service

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store