Quiz Entry - updated: 2026.06.19
What is CNAME cloaking, how widespread is it, and what are its risks?
CNAME cloaking disguises third-party cookies as first-party via DNS to bypass browser protections; studies found 76% of analyzed websites use it, and it carries cookie-leakage security risks plus GDPR transparency obligations.
* CNAME cloaking: a first-party-looking subdomain is DNS-redirected to an external tracker, dodging third-party-cookie blocking. *
The mechanism (three parts):
- DNS-CNAME redirection — a site's own subdomain points to a tracking server
- First-party cookie disguise — the browser treats the subdomain's cookies as first-party, so protections don't block them
- Server-side forwarding — tracking data is forwarded server-side to the real third party, bypassing browser defenses
Scale: research found 76% of analyzed sites use this technique to undermine tracking protection.
Risks & limits:
- Security: cookie leakage — first-party cookies (possibly including session tokens) can leak to the tracker
- Legal: GDPR transparency duties still apply — CNAME tracking is not a free pass; it doesn't replace consent and must be used lawfully
Tip: You can detect it by checking a subdomain's DNS records for CNAME pointers to external tracking domains.