Mitigating Collateral Damage

For a long while I was rolling my own DNS based ad and tracker blocker using the dnsmasq service built into the Asuswrt-Merlin router. I was so brutal with blocking things that to maintain domestic harmony I set up some rules to exclude my significant other’s devices.

Recently I decided to use NextDNS to provide the same type of blocking. It seemed that I was able to achieve a finer level of control and had fewer false positives, so I removed the exclusion on the SO’s devices. A privacy win as now the ad and tracker blocking covers everyone in the household.

Collateral Damage

But all is not perfect. Today the login to their New Yorker subscription ceased working. They requested a new login and URL to link.condenast.com was emailed to them. But their browser said it could not find that site.

Sure enough, my devices also said they were unable to find that server.

Looking up link.condenast.com on a machine not subject to my ad and tracker blocking showed:

# nslookup link.condenast.com
Server:        127.0.0.53
Address:    127.0.0.53#53

Non-authoritative answer:
link.condenast.com    canonical name = cb.sailthru.com.
cb.sailthru.com    canonical name = ha-link.sailthru.com.
ha-link.sailthru.com    canonical name = haproxy-prod-link-nlb-9484743b55d7f6b1.elb.us-east-1.amazonaws.com.
Name:    haproxy-prod-link-nlb-9484743b55d7f6b1.elb.us-east-1.amazonaws.com
Address: 3.222.82.214
Name:    haproxy-prod-link-nlb-9484743b55d7f6b1.elb.us-east-1.amazonaws.com
Address: 3.226.166.212
Name:    haproxy-prod-link-nlb-9484743b55d7f6b1.elb.us-east-1.amazonaws.com
Address: 107.20.71.201

The first “hop” to cb.sailthru.com blocks the lookup on NextDNS because it is a known tracker and I have “Block Disguised Third-Party Trackers” enabled on my NextNDS setup.

A Work Around

Putting cb.sailthru.com in the NextDNS whitelist for my account fixed the immediate issue but was very unsatisfying.

Apparently newer versions of dnsmasq allow you to define canonical links to A records that are not defined on the local host. And, apparently, my Asuswrt-Merlin has a new enough version of dnsmasq.

The fix is to add the following to my dnsmasq.conf.add file:

cname=link.condenast.com,haproxy-prod-link-nlb-9484743b55d7f6b1.elb.us-east-1.amazonaws.com

Not perfect as Conde Nast may change AWS services from time to time. But for the moment it allows the tracking DNS servers to be bypassed when link.condenast.com is resolved.

Now that I know a way to bypass disguised third party tracking DNS and still resolve to the final address I can keep domestic harmony. When the situation comes up in the future:

  1. Lookup the server DNS on a machine not subject to the protections provided by NextDNS.
  2. Note the final server name.
  3. Add a CNAME record in my `dnsmasq.conf.add file that cuts out the tracking DNS CNAMES.
  4. Push the updated file to my router.