CNAME

What is CNAME?

An abbreviation for Canonical Name, CNAME is a type of DNS record used to associate an alternative or secondary domain name with its main domain name. The returned canonical name can then be used to look up the IP address.

The DNS (Domain Name System) is the map that links the human-readable website name (like example.com) to the associated numerical IP address (like 203.0.113.43). Sometimes the website name requested is not the core name linked directly to the IP address. In this case, the DNS table has a CNAME record that maps the requested name (such as search.example.com) to the canonical name (in this case example.com). Then a second DNS lookup is performed using the canonical name to find the IP address.

Why are there CNAME records?

CNAME records allow a domain owner to direct requests for various subdomains all to a single IP address. Once the request gets to the IP address, the Web server will then determine exactly what page was requested and provide that content. Continuing with our example of a request for search.example.com, when the request arrives at the correct IP address for example.com, the Web server reads the original web site requested (search.example.com) and returns the search page. A similar process happens when a user requests support.example.com.

CNAME records also allow for common mistakes to be redirected, as when a request for example.net redirects a user to example.com.

DNS entries for these alternate names could all map directly to the IP address using a basic DNS record instead of a CNAME record. But if the IP address changes, all of these records would have to be updated. By pointing all alternate names to the canonical name, only a single DNS record (and thus IP address) would need to be updated. Having CNAME records makes the DNS easier to maintain and less likely to have errors.

Are CNAME records secure?

Any DNS entry, including a CNAME record, is vulnerable to several types of attacks. The most common terms for these attacks are hijacking, spoofing, and cache poisoning. The exact method of these attacks can vary, but all strive to redirect the user request for a legitimate website to an alternate (often spoofed) site of the attacker’s choice. The redirect may be for phishing, to serve ads or collect data, or to censor content. (The Brave privacy glossary entry for DNS has more info about these security risks.)

Two common attacks against CNAME records are called “cloaking” and “dangling name” attacks. In a cloaking attack, a hacker puts a misleading CNAME record in the DNS table to circumvent ad blockers that reject third-party ads and trackers by comparing DNS requests to a known list of undesirable domains. A cloaked CNAME record may look very similar to a name that would be associated with a legitimate site’s canonical name. Another cloaking tactic is to constantly change the canonical name the CNAME record returns, thus staying a step ahead of the blocker’s data on what domains to block. If the blocker can’t detect the cloaking, the unwanted content gets loaded in the user’s browser.

A dangling CNAME record is one that was legitimate but has since been abandoned—perhaps because the original site was removed or renamed. A common case of this is a shop on a marketplace—say example.etsy.com. When the seller establishes their “example” shop, a CNAME record is added to the DNS table that maps “example.etsy.com” to the canonical name “etsy.com”. If the seller closes the shop, and the CNAME record is not deleted from the DNS table, this record becomes a dangling name, and can be taken over by hackers. Anyone who then tries to visit “example.etsy.com” will instead be routed to a site of the hacker’s choice.

Protections against CNAME hacking

DNS was originally designed in the early days of the Internet. Its creators did not foresee the threats by malicious actors that we face today, and so did not include security measures in its design. DNS attacks, including those on CNAME records, can be very hard to detect. Without built-in protections within the DNS, it’s up to website owners and users to remain vigilant, and use available tools for protection.

Website owners can take several steps to protect their DNS table data against attacks, including:

• Use a protocol called DNSSEC (for Domain Name Server Security Extensions) to add a digital signature to a DNS table entry, verifying the record is authentic. This authentication step prevents website users from being routed to the wrong site.
• Monitor site traffic for sudden changes. If the number of visits drops suddenly or significantly, it may indicate that their DNS records have been hijacked in some way, and potential visitors are being rerouted.
• Periodically check DNS entries to make sure they haven’t been changed.

There are also things you can do to avoid being routed to the wrong website, and to protect yourself if you are connected to malicious content:

• Use a VPN, particularly when on a public Wi-Fi connection. This can protect against man-in-the-middle attacks that might attempt to intercept traffic between you and the DNS server.
• When a website loads, check that it’s the one you wanted. Even if it looks right, make sure the actual website address is correct (e.g. “example.com” and not “examplllle.com”). Check the browser address bar for “https://” (not “http://”) or the lock icon.
• Keep all software, including antivirus software, updated. This can help prevent malware from being installed if you end up at a malicious site.
• If you don’t trust your ISP, and you can find an alternate DNS server you do trust, configure your device to use this alternate instead.
• Use the Brave browser—its enhanced ad blocking and tracker blocking capabilities provide added security against CNAME cloaking.