| DNS-based blacklisting is not effective against an effectively infinite, rapidly-iterated, DNS namespace on domains that you otherwise trust. My experience is with DNSMasq, but should apply to PiHole. I'd noticed that several ads networks were utilising massive numbers of hosts at a specific domain (limited to advertising). If you're using a simple /etc/hosts blocklist, you'd have to individually block these. The alternative DNSMasq affords is to block entire domains or subdomains. This is remarkably effective. But ... ... if ads and content are being served from the same domain, you'd have to switch to a DEFAULT DENY plus EXPLICIT ALLOW rule. So you'd have to blacklist all of "example.com" except for the valid hosts, say, "webserver.example.com", "css.example.com" and "nonhostile-js.example.com", to enable assets from those specific hosts. Another alternative, which would probably work reasonably well against CNAME attacks, is to simply deny all traffic at the IP level to the CNAMEs' targets. Since the goal of the advertiser is to make a small number of hosts or hostnames appear as a large number of their client domains, you still have an effective lever to apply in blocking access. But you'll need to use IP-level blocking (firewall), rather than the until-now useful and largely effective DNS-based blocklists that have become popular. As a technical countermeasure. Regulating the everloving hell out of these practices, and/or suing both tracking firms and their clients, is another possible approach. And I think it's going to take both technical and collective social and legal methods to address this. |