Hacker News new | ask | show | jobs
by muppetman 2402 days ago
It doesn't need to have every cname in it. The cname resolves to the actual "bad" domain, which should be in your list already. That's why DNS blocking can still combat this method easily, while it's much harder at the browser level. uBlock Origin for Firefox beta has a "run all non-local domains back through and check for cname redirection" feature, which can also block the cname trick, but it will increase DNS latency because it has to check each external domain again for the "true" domain.
2 comments
gorhill 2401 days ago
> [uBO] will increase DNS latency because it has to check each external domain again for the "true" domain.

The browser API used by uBO returns the last CNAME in the chain. I consider the DNS lookup itself to be an non-issue overhead-wise in uBO because:

- The browser would need to do it anyways

- DNS lookup results are cached at both the browser and uBO level

link
iforgotpassword 2401 days ago
> It doesn't need to have every cname in it. The cname resolves to the actual "bad" domain, which should be in your list already.

That doesn't help if dnsmasq only checks the incoming request against the list, and not the whole cname chain of the result.

link