| NextDNS.io (sort of pihole as a service) unwraps those too. From the linked PDF: “Other tracking countermeasures operate as a DNS resolver, and return a bogus IP address, e.g. 127.0.0.1 when the domain name matches an entry from the blocklist. As this defense works at the DNS level, these can also consider all the intermediary resolutions to CNAME records, and return a bogus IP address if any of them resolve to a domain on the blocklist. Examples of DNS-based anti-tracking measures that adopted defenses against CNAME cloaking include NextDNS [42], AdGuard [4], and Pi-hole [50].” It’s worth reading NextDNS’s discussion on how this is implemented, and the differences between their approach, AdGuard’s, and pihole’s: https://medium.com/nextdns/nextdns-added-cname-uncloaking-su... If you have NextDNS configured with the AdGuard base filter set, www.cultofmac.com is blocked for being CNAMED to www-cultofmac-com.ezoic.net which in turn is blocked by the AdGuard base filter. In this case, ezoic is an ad-optimizing content management system (CMS). Here’s a wiki for setup for most routers, see Supported Platforms at the bottom: Wiki: https://github.com/nextdns/nextdns/wiki Splash page: https://nextdns.io/ Setup: https://my.nextdns.io/start For iOS families, NextDNS now supports Apple Configuration Profiles to enforce Encrypted DNS at the policy level, no software to install or manual settings: https://apple.nextdns.io/ |