CNAME blocking with Blokada

What is a CNAME?

It is helpful to understand how Blokada works (short | long) and how a DNS functions before reading this article.

The abbreviation CNAME stands for canonical name.

DNS-based ad blocker like Blokada block DNS requests. These requests consist of specific domains an app wants to access. A domain could be www.c-C.com for example. Now companies can register one domain as the canonical name, which points to exactly one IP (one server where the content gets loaded from). Let’s say the priorly mentioned domain will be our CNAME.

Additionally to registering a canonical name one can register as many aliases to this domain as one wants to. An alias for this domain could be miss-support.com or ja-ne-doe.c-C.com. When trying to access an alias the DNS checks its records and figures out that this domain should be resolved to the IP that has been set for the canonical name. It then informs the app: ‘This is the IP you are looking for’. This system works even if you try to access an alias for an alias for an alias for an alias because in the end the chain should point to one CNAME.

An analogy:

It functions a little bit like real names. Let’s say a person is called ‘Peter Parker’. This is his real name, a name that we now theorize to be unique. For him only one unique ID exists (the social security number in America). With this ID authorities can figure out where Peter Parker lives, how old he is and whether he did something bad in his past. Now his Mom only calls him ‘Peter’, his friends may call him ‘Pete’ his teachers ‘Mr. Parker’. Sometimes people also call him ‘Spiderman’. All these names still refer to only one individuum behind these names.

Now in our analogy Peter Parker would be the canonical name. The social security number the IP adress, which leads to the individuum and with that to the information (content) you request. All other names would be aliases for Peter Parker, which still refer to the same name (CNAME) and with that to the same social security number (IP adress).

An extended example:

I recommend reading the Wikipedia article for a technical view on this topic.
A CNAME record may look the following:

NAME                TYPE    VALUE
miss-support.com.   CNAME   www.c-C.com.

The alias is written on the left. It ‘cnames’ (shall be resolved) to the CNAME on the right.
Usually a DNS would now look up www.c-C.com. The response could look like this:

www.c-C.com.        A       <some specific IP adress>

Now the requested content can be reached via the given IP adress.

Why is this feature necessary?

An ad blocker like Blokada only blocks domains that are contained in a list. If a domain is not included in a list it won’t be blocked. This list cannot be too long, otherwise it wouldn’t fit into the devices RAM anymore.

Companies like people to see their ads. A trick they use to circumvent ad blocking is using aliases for the domain they actually want to load ads from. By creating aliases they create 2 problems for list based ad blockers:

  • list maintainers need to find all aliases registered for an ad-serving domain (for a CNAME) and update their lists accordingly, which takes time. So for at least some days/weeks/months these aliases won’t be blocked and users will see ads.
  • lists cannot be too large which means list maintainers can only add that many domains to the list that most devices will still be able to handle them. This results in some potentially ad-serving domains not being blocked.

How does CNAME blocking work?

The solution for this problem is to block the CNAMES and not every single alias.
So let’s take a closer look: What happens if miss-support.com gets requested?
If this domain is not contained in any of your selected block lists, Blokada allows this alias. As there is a CNAME record listed for this domain the DNS returns the CNAME which is www.c-C.com (and its IP adress) in our example. Blokada then checks this response from the DNS against the ruleset (the domains you want to block from every list you selected) again. If an entry for the CNAME exists the request will be blocked by Blokada.
This means list maintainers only need to add the CNAME to their compilation and not every single alias available.

Information for Blokada on Android:

Information for Blokada on iOS:

Here CNAME blocking is enabled by default. You can not turn it off or allow aliases.

3 Likes