Apply Pi-Hole blocking to CNAMEs

Ublock Origin just introduced a way to detect third-party trackers disguised as first-party scripts: Address 1st-party tracker blocking · Issue #780 · uBlockOrigin/uBlock-issues · GitHub

According to the issue it seems that it's becoming quite common for websites to use this technique to avoid adblockers detection, as you can see there is a big list of popular websites available here that are currently using this new trick: Address 1st-party tracker blocking · Issue #780 · uBlockOrigin/uBlock-issues · GitHub

Could Pi-hole implement a similar feature as Ublock Origin but for domains?

EDIT: It seems that this functionality got quite popular because Adguard is considering adding a similar feature into their app: Match CNAME records against the blocklists · Issue #1185 · AdguardTeam/AdGuardHome · GitHub and the issue from the Ublock origin github repo is currently a top post on /r/privacy: To prevent third-party trackers disguised as first-party scripts, uBlock Origin is working on a workaround based on Firefox's DNS API. This API is not supported on Chromium based browsers. : privacy.

Can you summarize what you want Pi-Hole to do that it currently does not? How should this new feature work?

This was requested in an issue back in 2018 : Filtering not performed on canonical names returned by a CNAME record · Issue #2242 · pi-hole/pi-hole · GitHub

I don't find a feature request was generated for that item.

Nor did I :frowning:

What pi-hole isn't doing is blocking domains masked by CNAME chains ; for example :

bastien@data-bastien:~$ dig

This request is not blocked, although is in the block list

bastien@data-bastien:~$ dig

Here is an example (the domains are fake, it's for demonstration purpose only):
The domain is in my blacklist, so it returns the IP of my Pi-Hole if I do a DNS query:

$ host has address

But if I do a DNS query of it doesn't get blocked by Pi-Hole even though it's simply an alias (CNAME) for

$ host is an alias for has address

What I would like that Pi-hole do is to check if the domain is a CNAME (in the example then comparing the domain that is aliased to (in the example with my blacklist. If it is in my blacklist block the domain (by returning the IP of my Pi-hole).

Would this feature request be more correctly titled "continue Pi-Hole blocking all the way through a CNAME chain"?

1 Like

Sure if you think that's better than the actual title.
I'm not actually good at giving a title for a topic but I do understand that some people may not understand correctly the current title.

I changed the name accordingly. This makes it easier for users to search and clarifies the change request.

1 Like

Devices/services/apps without the ability to use browser extensions will be greatly affected once all the advertisers learn the trick. This is needed to stay on par with current functionality.

In the case presented above (output shortened for clarity), could the user not just block the original domain with a regex?


The CNAME is pointing to a bad domain. Why not just add the CNAME to the blocklist/blacklist? Any other re-resolving of things is going to add layers and latency to things.

  • Check domain against black/block
  • Resolve domain
  • Check resolved domain against black/block

I'm not sure offhand if we can even get the intermediate CNAMEs from FTL either.

So something like:

  1. Resolve
  2. If is CNAME then check CNAME against blacklist
  3. is CNAME for
  4. If is CNAME check against blacklist
  5. is CNAME for
  6. If is CNAME check against blacklist
  7. is A.


  1. Resolve
  2. is blacklist.
  3. Return

Remember that those are wilcards and you would only have to look at in that example.

These are separate domains wich coukd be triggered as soon a CNAME is returned and so speed is kept for normal blocking.

Only slowdown when CNAME is returned by the upstream server.

Where are wildcards being used?

These are providing services to clients so if would track us then the domain would be so wildcard.

I'm not getting you. is now a regex? That adds even more complexity as regex has to be checked on every step.

The issue I see is that we can add code that increases complexity and potential for breakage. It would increase memory consumption as we would have to store the initial query target and then the intermediate targets with pointers back to the initial target to relate the queries all to each other. If there's a CNAME pointing to a CNAME (as in the example case) then we have a stack of queries that need to be kept in memory and linked with pointers to each other.

Or you can add the target to your blacklist. (Chances are that the list maintainers are going to add them anyways...)

Wildcard has become a regex in Pi-hole but in normal language the meaning is still the same.

I still don't follow.

I was affraid for that.

First you have to understand what happening. You type in and the CNAME makes you go to because you are using their services.

We don't want to end up with so we jump ship and can't visit anymore.

I can't see that is transfering to eurlerian and pi-hole self also not. The domain entered is

That's not what is happening here. Entire websites are not CNAMEd to another domain. If was actually then the two are fully equivalent and you should not see anything from anyways.