CNAME cloaking protection on Pale Moon (for Add-ons)

Add-ons for Pale Moon and other applications
General discussion, compatibility, contributed extensions, themes, plugins, and more.

Moderators: FranklinDM, Lootyhoof

User avatar
pale guru
Moonbather
Moonbather
Posts: 61
Joined: 2021-11-06, 11:10
Location: Tyskland

CNAME cloaking protection on Pale Moon (for Add-ons)

Unread post by pale guru » 2022-05-02, 05:31

CNAME is a DNS-based alias to integrate external websites into one's own website, so they appear as as first party to the webbrowser and its user. This method is increasingly used to ad tracking and advertisement and to circumvent (traditional) adblockers.
The problem is discussed at grc.com's Security Now! #808, at medium.com (/nextdns/cname-cloaking-the-dangerous-disguise-of-third-party-trackers-195205dc522a), or arxiv.org (/abs/2102.09301).

I see that the latest ublock addon for Firefox considers CNAMEs. Is there any way for Pale Moon addons to do the same?
Would that be a feature for Pale Moon to set a checkbox in the preferences, like ”Block CNAME requests ☒“?
… tanning in dimmed LCD light. – Evry 1′s a beginner, baby, that's the truth…

User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 4942
Joined: 2015-12-09, 15:45
Contact:

Re: CNAME cloaking protection on Pale Moon (for Add-ons)

Unread post by moonbat » 2022-05-02, 06:20

pale guru wrote:
2022-05-02, 05:31
I see that the latest ublock addon for Firefox considers CNAMEs. Is there any way for Pale Moon addons to do the same?
eMatrix long since does.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

User avatar
hujan86
Fanatic
Fanatic
Posts: 194
Joined: 2017-09-27, 06:50

Re: CNAME cloaking protection on Pale Moon (for Add-ons)

Unread post by hujan86 » 2022-05-02, 08:02

pale guru wrote:
2022-05-02, 05:31
Is there any way for Pale Moon addons to do the same?
uBlock Origin (Legacy) + subscribe Geoffrey Frogeye's First Party Trackers list or NextDNS CNAME Cloaking Blocklist
Avatar's Source: yereverluvinuncleber

vannilla
Moon Magic practitioner
Moon Magic practitioner
Posts: 2181
Joined: 2018-05-05, 13:29

Re: CNAME cloaking protection on Pale Moon (for Add-ons)

Unread post by vannilla » 2022-05-02, 09:31

moonbat wrote:
2022-05-02, 06:20
eMatrix long since does.
For transparency I must say that it did not receive much feedback so it is still considered "experimental" even if it works.
Yes, I know that "no news is good news", but I just want to make it clear that it's not a particularly battle-tested feature compared to the rest, so cave canem when using it.

Lucio Chiappetti
Astronaut
Astronaut
Posts: 654
Joined: 2014-09-01, 15:11
Location: Milan Italy

Re: CNAME cloaking protection on Pale Moon (for Add-ons)

Unread post by Lucio Chiappetti » 2022-05-02, 11:59

I wasn't aware of CNAME considered an abuse, and I actually won't consider it as such.
My institute (part of a public research organization) has always (since 1993) had one webserver, called www.officialdomain where www has never been the hostname of the host hosting it :D but a CNAME to machine.geographicdomain (the actual machine has changed many times, and the CNAME allows a seamless replacement). Now we have several projects webservers, some ara apache virtual hosts of www, and other alias.officialdomain are CNAMEs to othermachine.geographicdomain (actually the official domain announces mostly only CNAMEs for "public" services, where the geographic domain contains the A records for physical hostnames, which are of interest mostly only to staff.
The reasonable man adapts himself to the world: the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. (G.B. Shaw)

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35403
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: CNAME cloaking protection on Pale Moon (for Add-ons)

Unread post by Moonchild » 2022-05-02, 14:54

CNAME isn't abuse, IMO. If you call that abuse then you're stepping on the slippery slope of calling all services not hosted on the website's main server abuse also (like CDNs or outsourced/remote hosted parts of infra).

If a website owner makes a CNAME entry for a particular partner then that should be considered first-party content and shouldn't be blocked. The issue with tracking is third parties, and more specifically third parties that are dynamically injected into page content. If a website owner makes a specific CNAME entry in their DNS then that entry can only be pointing to one target, and at that point the work needed would be the same as locally hosting the same scripting/content; the only difference is that CNAME provides a level of convenience by which both the service provider and especially the website owner benefit from easier setup. Seen from that side, there literally is no difference between the two. CNAME is and will always be a 1:1 relationship. Hosting third-party content is a 1:many relationship and that is where tracking and profiling has the most opportunity to mine data.
If you wouldn't trust a website using CNAME to link in external content, then you're literally not trusting the website itself. And then you should really just not visit. 8-)
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
pale guru
Moonbather
Moonbather
Posts: 61
Joined: 2021-11-06, 11:10
Location: Tyskland

Re: CNAME cloaking protection on Pale Moon (for Add-ons)

Unread post by pale guru » 2022-05-04, 00:59

Thanks for lists and hint to eMatrix.

As CNAME is part of DNS system, I reckon there is both legitimate and dumb use of it regarding websites. I use it myself, but for mail servers to route the sender's server to the mail domain.

My point is to be able to recognise when a pretended first site subdomain links to an external provider via CNAME. With LiveHTTPHeader, I see when a site is routed through Cloudfluck and the likes, but the CNAME topic was quite new for me.
… tanning in dimmed LCD light. – Evry 1′s a beginner, baby, that's the truth…

User avatar
Pentium4User
Board Warrior
Board Warrior
Posts: 1104
Joined: 2019-04-24, 09:38

Re: CNAME cloaking protection on Pale Moon (for Add-ons)

Unread post by Pentium4User » 2022-05-04, 04:39

pale guru wrote:
2022-05-04, 00:59
As CNAME is part of DNS system, I reckon there is both legitimate and dumb use of it regarding websites. I use it myself, but for mail servers to route the sender's server to the mail domain.
Off-topic:
There is the MX record you can set. It tells every MTA to send mail to your domain not to the server in the A/AAAA record, but to the server (domain name) specified in the MX record.
The profile picture shows my Maico EC30 E ceiling fan.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35403
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: CNAME cloaking protection on Pale Moon (for Add-ons)

Unread post by Moonchild » 2022-05-05, 09:26

pale guru wrote:
2022-05-04, 00:59
My point is to be able to recognise when a pretended first site subdomain links to an external provider via CNAME.
It's not relevant. Like I already said CNAMEs are a 1:1 relationship. What good would it do for an end-user to recognise if a website use a specific internal structure for the way it provides content to you? It actually ensures that a website can indicate via subdomains which parts are under their direct control even if hosted externally, and that in fact makes it easier and more accurate to block 3rd parties if that is what you want. For a webmaster, CNAMEs are a secure way yo outrsource parts of their web presence ot others without needing to give them explicit access to their internal network infrastructure -- it's essential in that context. But once again, that has little to no value for end-users. the CNAMEd parts of a website are under the webmaster's control even if not operated by them. They should be considered part of the website and be given the same level of trust from an end-user point of view. If you don't agree with what the webmaster does on their own website, then you may want to consider not using their site/services.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked