Brave browser gets CNAME-based adblocking support

Martin Brinkmann
Nov 17, 2020
Brave, Internet

Brave Browser, a Chromium-based web browser that shares its core with Google Chrome, Microsoft Edge, Opera and Vivaldi, will support CNAME-based adblocking in version 1.17 of the browser.

The feature landed in Brave Nightly already and will be integrated in the stable version of the browser in the coming release.

Raymond Hill, maker of the popular content blocker uBlock Origin, introduced support for CNAME-based blocking in the Firefox version one year ago. The developer was the first to introduce such functionality in a browser extension, but could do so only in Firefox as Mozilla's browser was, and is, the only browser that supports DNS API capabilities that make such functionality possible in first place.

The Firefox-version of uBlock Origin is therefore the most effective when it comes to content blocking.

Sites and Internet marketing companies may use CNAME cloaking to avoid detection by content blockers, regardless of whether they are integrated in the browser natively, provided by browser extensions, or through other means such as the HOSTS file or DNS.

CNAME tracking, also called CNAME cloaking, works through redirects by using subdomains of the main domain which are then redirected automatically to a tracking domain. Most content blockers distinguish between first and third party resources, and CNAME tracking uses this to avoid detection.

Broken down, the technique makes a resource look like its first party when in fact it is not.

Most browsers cannot detect or block these, and while there are lists, it is necessary to manage the lists manually unless a browser or extension is used that comes with better protection options.

Next to Firefox with uBlock Origin, it is Brave Browser that stepped in. It is the first Chromium-based browser that introduces support for CNAME-based blocking.

Brave Shields, the browser's content blocking solution, will support CNAME-based content blocking in version 1.17 of the browser. The component will "recursively check the canonical name records for any network request that isn't otherwise blocked using an embedded DNS resolver".  The request will then be blocked if it has a CNAME record and if the request would be blocked under the canonical name.

CNAME-based content blocking is enabled by default in Brave 1.17, and it is the first major browser to introduce the functionality as a native solution that is enabled by default.

The company plans to release Brave 1.17 Stable on November 17, 2020 to the public.

Closing Words

Brave is the first browser to provide native on-by-default protection against CNAME-based cloaking techniques. Firefox users who install uBlock Origin are protected as well.

Now You: Have you tried Brave Browser recently?

Article Name
Brave browser gets CNAME-based adblocking support
Brave Browser, a Chromium-based web browser that shares its core with Google Chrome, Microsoft Edge, Opera and Vivaldi, will support CNAME-based adblocking in version 1.17 of the browser.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Anonymous said on December 13, 2020 at 7:21 pm

    @Iron Heart
    I added your 3 custom filters, but each filter says 0 used out of 0. What am I doing wrong?

  2. Iron Heart said on December 11, 2020 at 5:54 pm

    Here is my own Brave setup for anyone interested, as of December 11th, 2020. Brave 1.18.70 (desktop version). This setup is meant to strike a good balance between privacy and usability, and tries to debloat the browser.

    Why do I use Brave? Basically, because Brave removes unsolicited requests to Google from Chromium, the only times it contacts Google by itself it to update extensions (if you have any) or Google SafeBrowsing (unless you disable it) and Push notifications (unless you disable them). This is far superior to Chrome or vanilla Chromium. You can read about the things the Brave team removed here:

    It is the only Chromium-based browser with credible fingerprinting protections:

    It is the only Chromium-based browser that can do CNAME uncloaking (see the article this comment here appears under). Brave’s internal adblocker will also continue to work as it does no uninterrupted. It won’t be affected by Google’s decision to cripple adblockers with Manifest V3. Brave’s adblocker is not an extension, but rather implemented natively, and thus isn’t under extension restrictions, like e.g. uBlock Origin would be.


    Brave adblock lists:

    – Go to brave://adblock/ and enable the lists there, the more the merrier. I recommend the list that fits your native language and the following lists: Easylist-Cookie List – Filter Obtrusive Cookie Notices, Fanboy Annoyances List, Fanboy Social List, uBlock Annoyances List

    Brave’s settings menu (hamburger menu –> Settings):

    1) brave://settings/appearance
    – Brave suggestions in the address bar –> Disabled
    – Hide Brave Rewards Button –> Enabled
    – Always show full URL –> Enabled (might help in spotting phishing attempts)

    2) brave://settings/newTab
    – If you prefer, set this to show an empty page, if not:
    – Sponsored Images, Brave Rewards, Biance, –> Disabled

    3) brave://settings/shields
    – Show number of blocked elements on Shield icon –> Enabled
    – Default view –> Advanced view
    – Trackers & ads blocking –> “Aggressive” (this will block 1st party ads as well as 3rd party ads, “Standard” would only block 3rd party ads – there is no reason we would want to see 1st party ads, so “Aggressive” is fine)
    – Upgrade connections to HTTPS –> Enabled (equivalent of the HTTPS Everywhere extension, which is why you don’t need it in Brave)
    – Block Scripts –> Disabled (blocking scripts in general breaks too many websites, if you want to do it, use an extension like uMatrix that can provide more granular control than the Brave setting)
    – Cookie blocking –> Only block cross-site cookies (blocking 1st party cookies break too many websites, we’ll take care of them later on with Cookie AutoDelete)
    – Fingerprinting blocking –> Aggressive (if it breaks any website, play around with the “Standard” setting, Aggressive has worked for me so far)

    4) brave://settings/socialBlocking
    – Disable all the settings there, unless you have and use a Google / Facebook / Twitter / Linkedin account, in this case leave the setting that matches your account enabled

    5) brave://settings/search
    – DuckDuckGo, StartPage, Qwant are privacy-respecting search engines, however, I know that Google tends to have better results. Use whatever works for you.

    6) brave://settings/extensions
    – Ethereum / Web3 provider –> None
    – Crypto Wallets –> Disabled
    – Allow Google login for extensions –> Disabled
    – Hangouts –> Disabled
    – IPFS Companion –> Disabled
    – Widevine –> Disabled (unless you use any commercial streaming service like Amazon Prime / Netflix / Spotify or whatever in the browser, if you use any of those leave it at “Enabled”=
    – Media Router –> Disabled (unless you want to use Chromecast, in which case one should leave it at “Enabled”)
    – Private Window with Tor –> Enabled (handy if you want to hide your IP address, do not consider it a real Tor Browser replacement though, as Brave doesn’t have Tor’s common fingerprint)
    – Automatically redirect to .onion websites –> Disabled (you can still do it if necessary, Brave will offer the option to you, though I really recommend Tor Browser for any such action)
    – WebTorrent –> Disabled


    7) brave://settings/privacy
    – Us prediction service to help complete searches and URLs (= URL speculative autocomplete) –> Disabled
    – WebRTC IP handling policy –> Disabled Non-Proxied UDP (will prevent WebRTC IP address leak)
    – Use Google services for Push notifications –> Disabled (unless you want notifications, e.g. for chats, in this case leave it at “Enabled”)
    – All Brave crash reports / usage stats / “help us to improve our product nonsense” –> Disabled

    8) brave://settings/clearBrowserData
    – Set it to delete cookies and cache upon closing the browser

    9) brave://settings/cookies
    – Block 3rd party cookies, set to delete cookies upon closing the browser
    – “Do not track” –> Disabled (only raises entropy, ironically making you more easy to track, and this setting is not respected by most websites anyway)

    10) brave://settings/security
    – Google SafeBrowsing –> Disabled (double-edged sword somewhat, Google SafeBrowsing improves security while lowering privacy, I chose to turn it off because I am convinced that uBlock’s anti-malware lists will suffice)

    11) brave://settings/content
    – Hard to give recommendations here, disallowing access to your location should be safe. Do not disable notifications if you use chats, do not disable microphone or camera access if you use audio / video chats. If you don’t you chats, deny access to camera, microphone, automatically deny notifications.

    12) brave://settings/payments
    – Disable all settings you see there.

    13) brave://settings/addresses
    – Disable all settings you see there.

    Extensions I use in Brave, all downloaded from the Chrome Web Store… All of these extensions are long-standing free and open source software and do not collect any kind of data themselves:

    1) uBlock Origin = content blocker, for ad and tracker blocking. I use it in Brave despite Brave having its own adblocker, because contrary to Brave, uBlock Origin allows me to set custom lists that don’t come bundled with it.
    – Enable the settings stopping link prefetching, hyperlink auditing, CSP reports. Don’t use the WebRTC setting as it conflicts with Brave’s own WebRTC setting and isn’t any better!
    – As for the lists one should have, of the included ones: Basically all lists aside from the language-specific ones, of the language-specific ones enable the one with your own language at least. I literally have all uBlock Origin included lists enabled without issue.
    – I also value the following lists, which are not included by default (Hit “Subscribe at the right side of the screen):
    -> AdBlock Warning Removal List (circumvents websites locking you out if you have an adblocker):
    -> Fuck Fuckadblockm (same reason as Adblock Warning Removal List):
    -> I don’t care about cookies (most effective list against annoying EU cookie notices):

    2) ClearURLs = primarily filters tracking elements from URLs, meaning you will be using clean links. Also other minor stuff.
    – Allow domain blocking –> Enabled
    – Prevent tracking via the History API –> Enabled
    – Allow Referral marketing –> Disabled
    – Filter eTags –> Enabled

    3) LocalCDN = websites load libraries from third party sources, the providers of those libraries know which websites you’ve visited and can potentially profile you. LocalCDN provides these libraries locally for websites, intercepting requests to third party sources. Has the side effect of slightly speeding up the loading process of websites. I use LocalCDN instead of the similar Decentraleyes because the development of the latter has slowed down, and because LocalCDN supports a wider spectrum of libraries at this stage.
    – You can leave everything at the default settings here. However, I recommend to disable the update notification in the settings of the extension as it’s quite annoying – the extension gets updated quite regularly.
    – If you use uBlock Origin in medium mode instead of the default easy mode, you can integrate LocalCDN with uBlock Origin (under the “Advanced” section of LocalCDN’s settings)

    4) Cookie AutoDelete = Gets rid of cookies and other kinds of local data websites store upon your computer upon closing the tab or changing the domain.
    – Automatic cleaning –> Enabled
    – Enable Cleanup of Discarded / Unloaded Tabs –> Enabled
    – Enable Cleanup on Domain Change –> Enabled (Depends on the convenience level you want to maintain, if you are logged into an account, then change the website entirely, and then return to the website you’ve been logged into, all within the same tab, you’ll get logged out as the cookies will be removed upon domain change – normally Cookie AutoDelete would only clean cookies upon actually closing a tab).
    – Clean Cookies from Open tabs on Startup –> Enabled
    – Clean all Expired Cookies –> Enabled

    – Enable Cache Cleanup –> Enabled
    – Enable IndexedDB Cleanup –> Enabled
    – Enable LocalStorage Cleanup –> Enabled
    – Enable Plugin Data Cleanup –> Enabled
    – Enable Service Workers Cleanup –> Enabled (may break chat notifications if you need those, so be careful if you use chats)


    I hope this info was helpful for any interested party. I always appreciate corrections or criticism where applicable.

    1. Klaas Vaak said on December 13, 2020 at 5:03 am

      @Iron Heart: excellent, many thanks.

      I would make 1 small addition: I found that the extension ClearURLs does not always do the job, so have also installed and enabled Neat URL. Maybe this is overkill, but between the 2 the job seems to get done.

      1. Iron Heart said on December 15, 2020 at 10:46 pm

        @Klaas Vaak

        Thanks for the tip, my only nitpick here would be that Neat URL seems to get updated only infrequently. Though to be fair, the update it got the last time was substantial indeed. I’ll check the extension out.

      2. White said on January 26, 2021 at 7:04 pm


        Your heart is not of iron. You are giving your things away, this happens only when the heart is soft.

        Thanks a ton! ❤

    2. Anonymous said on December 11, 2020 at 11:44 pm

      @IronHeart, Firefox has the possibility to change the user’s profile location, a RAMDisk for instance. Does the Brave browser include this feature?

      Thanks for the list.

      1. Iron Heart said on December 15, 2020 at 10:53 pm


        Cache Relocator supports Brave:

        Also a relevant thread:

        Seems like it can be done, but I am not doing it myself, so I don’t think I am qualified to help here, unfortunately. This is what I have found. Hope it helps, anyway.

  3. Anonymous said on November 18, 2020 at 3:26 pm

    If the new release can stop the (we see you are using an ad blocker) messages then I would use it.

    1. Pak Pok said on November 18, 2020 at 6:44 pm

      well, to be honest, for the way Brave Adblocker works it doesn’t display that message about using an adblocker as much as other extensions, yeah you may say you can install another extension to avoid it more like when Nano Defender existed but I honestly rarely see that message when using native Brave Adblocker only.

  4. Anonymous said on November 17, 2020 at 11:42 pm

    I don’t have a cnameAliasList.

    ”Change the value of the parameter cnameAliasList to *.”

    cnameIgnoreList unset
    cnameIgnore1stParty true
    cnameIgnoreExceptions true
    cnameIgnoreRootDocument true
    cnameMaxTTL 120
    cnameReplayFullURL false
    cnameUncloak true
    cnameUncloakProxied false

  5. Bobo said on November 17, 2020 at 7:14 pm

    I like cake.

  6. BraveBros said on November 17, 2020 at 12:02 pm

    CNAME trackers are just another overblown data privacy threat constructed by the fear mongering internet media

    1. Anonymous said on November 17, 2020 at 12:34 pm

      This problem is similar to the fear mongering about fingerprinting.

      The well-known filterlists included in good content blockers already take care of 100% of all fingerprinting scripts.

      Algorithmic protection is good but since tracking is always javascript-based, all relevant scripts are always added to the filterlists.

      There are only a handful of players in the tracking business, and they are all well-known.

      The biggest privacy problem is server-side tracking when the first-party sends data via their backend. There is not much that can be done against server-side tracking, except regulation by law, which we already have in place in Europe.

  7. kirk said on November 17, 2020 at 11:00 am

    Would this be rolled out to only Brave for desktop or Brave for Android will get this feature too?

    1. Anonymous said on November 18, 2020 at 3:51 am

      well, in github issue they posted tests running on android so it must, especially since desktop and android are the “same”.

  8. Akeru said on November 17, 2020 at 9:19 am

    Next step for browsers the Google Tag (Server-Side Tagging)… Which has no countermeasure yet.

    1. No Thanks, M$NBCIAGooglesoft said on November 17, 2020 at 10:55 pm

      Wait until you hear about Microsoft Pluton. A backdoor into every CPU, with “cloud updates”. That’s right, the CPU will connect to MS servers for updates like a motherboard BIOS. It is a new form of the TPM chip, except now there won’t be any way to disable it if MS has its way.

  9. Anonymous said on November 17, 2020 at 9:15 am

    another solution is nextdns, which I use alongside Brave and UbO.

    1. Ray said on November 18, 2020 at 5:41 pm

      dnscrypt-proxy can handle this as well.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.