µBlock, a lean and fast blocker

The test got 93% using Hagezi Multi Pro++ only at DNS level.
Anyway,

I just checked the issue again. You and Yuki are right that it's simple to fix the issue. The only issue is that the ad list should become tracker and the tracker list should be named to something else. Now I better understand why Hagezi said that the current tracker list is filled with rubbish and most are not cname tracker. Yuki also said the same. Don't know why Adguard hasn't fixed the names yet.
I see that Yuki has opened another issue mentioning yours to make them rename it. So I'm expecting it to be solved soon.

 

Haha, I would call myself a realist. Mainly because of using MS Edge, NextDNS does CNAME uncloaking. Firefox runs also through NextDNS. I didn't disable the CNAME option in uBO (in Firefox). There's overlap, but they are also to some extent complementary. View next matrix (from an interesting article, published on https://www.esat.kuleuven.be/cosic/publications/article-3303.pdf). It gives an impression of the CNAME-blocking capacities of uBO and NextDNS.



The (relatively large) CNAME segment of EasyPrivacy minified seems to me to be redundant. But I consider it as a kind of bonus.
All in all the filtering measures remain realistic.

 

Totally agree!

 

Total : 147

140 blocked

7 not blocked

 

Slavaleleka informs me that they have included more lists:

https://github.com/AdguardTeam/cname-trackers/tree/master/data

P.S.

To forum members using the EP or AG Tracking Protection list.
You continue to use the simpler protection.

I, on the other hand, who use EP at the DNS level + CNAME blocking (NextDNS) will continue to use the AG.CNAME filter list that I feel best suits my needs.

Firefox - combined_original_trackers.txt

Edge - combined_disguised_microsites.txt (now)

 

I performed an interesting CNAME test using the recent AG combined_disguised_microsites.txt filters list which has only 4610 rules.

In fact, many of the websites included in the list are blocked by

EasyPrivacy:



or the

CNAME trackers NEXTDNS blocker:



In some cases, some websites were blocked by both DNS-level filter lists.
For some websites I was alerted by an on-screen pop-up of a privacy error.

Thanks to this list of CNAME filters, I was able to verify the excellent performance of my DNS CNAME protection.
List of filters that I will leave enabled for added security/privacy.



P.S.

I would also have found 2 false positives,but I will not notify (for the time being) the maintainers.

It is possible to discover the false positives by cross-testing with the original CNAME list available in Firefox.

If any forum members want to check I can put in the FP rule.

 

@Jan Willy A shout-out to you for posting details of different filter lists. I haven't been able to find the same detailed info on my own.

 

Thanks. But some members here such as sampei nihira know much more about it.

 

Indeed, thanks to @Sampei Nihira as well.

 

What is the recommended CNAME filter list to use with Firefox? I have AdGuard CNAME original trackers list enabled, but it now keeps showing up as out-dated. Is setting cnameAliasList * in uBlock enough for for CNAME filtering?

 

I assume you're using Firefox or LibreWolf, which are the only browsers capable of CNAME scanning. I had the same update issue as you. The filterlists.com site may have issues periodically. I went to the Adguard CNAME GitHub page to get the list. (link below)

Use the first list after the "Recommendation" section.
https://github.com/AdguardTeam/cname-trackers. It might be helpful for you to read the info at Adguard's page. Adjust your strategy as advised by Adguard if you use any chromium browser.
[QUOTE

Recommendation:
Just use "AdGuard Tracking Protection filter" or "EasyPrivacy" in a content blocker of your choice. This would be the safest way. If you are absolutely sure you want to block all disguised trackers even if it breaks some websites, choose one of these: ...​

][/QUOTE]

I don't know what you're referring to. Are you using uBlock Origin or some other version uBlock?.

 

If you mean that uBO (in Firefox) itself or the filterlists AG Tracking Protection or EasyPrivacy don't protect you enough, you can choose additional AG lists from the site https://github.com/AdguardTeam/cname-trackers

Edit: Other sources may offer invalid AG lists.

 

Where is that setting supposed to be? It's not mentioned here and doesn't show up in uBO's advanced settings:

 

In the microsites list I found this rule that blocks then the whole domain:

Code:

||refer.bfr.com

This domain is obviously not blocked by EP.
It is interesting to note that in FF with the original CNAME list there is no blocking.

Another rule also causes the entire website to be blocked:

Code:

||amp.bfr.com

 

Has anyone encountered this little notice in his/her Chrome browser?

Hasn't the time and place for this like passed by years ago?

Smacks of a little desperation but who knows.

https://twitter.com/OfficialPCMR/status/1675196465520562176

 

I don't use Chrome, but you make me curious.
Regarding the Twitter link, Twitter blocks access if one is not logged in [1], and also Nitter access is blocked. [2]

 

Ooo, sorry, Stupendous Man. I should learn to apply what I've just read.

Here:

Spoiler

 

Ah, thanks. Yes, that does look like something from another time and place. I haven't seen such notice since IE9 on Vista or so.

 

The AG microsites list is very interesting for those who want to optimize their protection against CNAME cloaking. The overlap with EasyPrivacy is nearly 2.000 rules. So the microsites list adds about 2.700 effective rules.

 

I did an interesting test in Firefox using NEXT DNS CNAME protection at DNS level + AG CNAME List original in UBO.

It is possible to verify in Filterlists that the NEXT DNS CNAME list is not as complete as the AG list:

https://raw.githubusercontent.com/nextdns/cname-cloaking-blocklist/master/domains

In fact, many domains escape CNAME NEXT DNS blocking and are often blocked by other filter lists.

Such as EasyList,EasyPrivacy,UBO blocking filters,or the domain is not resolved and alerts the user with an on-screen pop-up of possible threat.
I enter one of these alerts:



Sometimes the domain in AG CNAME filter list that is not blocked by the CNAME NEXTDNS block is taken from the OISD filter list:





My conclusion is that the CNAME NEXT DNS block alone is not sufficient or at least not as efficient as the AG CNAME block.

And only the use of other filter lists in UBO or at the DNS level allows the user to be reasonably protected from the CNAME threat.

 

Sorry, I read an old article. That option was removed I assume the feature is on by default now, but I'm not sure what setting that is though.

 

Settings ---> Privacy ---> Uncloak canonical names.
https://github.com/gorhill/uBlock/wiki/Dashboard:-Settings#uncloak-canonical-names.

 

Thanks for the link. I replaced AdGuard CNAME original trackers list with the one from there and it no longer shows out-dated. Any other recommended CNAME filters I should use with Firefox and uBlock?

 

I've already given my personal opinion in my post https://www.wilderssecurity.com/threads/ublock-a-lean-and-fast-blocker.365273/page-296#post-3151891
Of course AG offers special filterlists for extra strength, but - as AG itself states - the risk of not-accessing sites increases. Forummember sampei nihira gains experience with those lists. Perhaps he is willing to inform us how many (extra) blockages he sees in the uBO log during normal daily browsing.

 

UBO v.1.50.1 moves for greater compatibility with AG filter list syntax.

My recommendation is to add the AG list CNAME original (57 rules) certainly to Firefox.
With Firefox there are certainly fewer problems reaching some websites than with Chromium-based browsers:

Firefox:



In Chromium-based browsers some websites will be,compared to Firefox,unreachable when the user decides to subscribe to the AG CNAME ads,microsites........ filter lists.

However, it is easy to continue by ignoring the block

Edge:



P.S.

With the recent update (3 hours ago) there is the right title in the subscribed list.