Same Origin Policy does not seem to provide any protection against DNS-based tracking.
For example, putting a series of links to resources in a page and making conclusions from the series of DNS requests made automatically by "modern" browsers like Chrome, Safari, Firefox, Edge, Opera, etc.^1,2
To be fair, this sort of tracking is arguably brittle, e.g., if user has auto-loading of images disabled or is not using a cache that randomises the ordering of IP addresses within a response packet like BIND.
It can also be easily avoided by user control over her client automatically making DNS requests for any resource^3 and user control over her own source of authoritative DNS data. For example, using a client that does not automatically load resources and using a local source of DNS data like a HOSTS file or a zone file served from a logging authoritative server on localhost like tinydns.
Most of them rely on Javascript or some other "modern" browser feature.
Not very reliable when user disables it or uses client that does not support it.
HTTP headers are malleable yet I still see the big tech companies appearing to treat them as reliably identifying a program/device. A new user-agent string or set of HTTP headers is not necessarily a new program/device.
Same Origin Policy does not seem to provide any protection against DNS-based tracking.
For example, putting a series of links to resources in a page and making conclusions from the series of DNS requests made automatically by "modern" browsers like Chrome, Safari, Firefox, Edge, Opera, etc.^1,2
To be fair, this sort of tracking is arguably brittle, e.g., if user has auto-loading of images disabled or is not using a cache that randomises the ordering of IP addresses within a response packet like BIND.
It can also be easily avoided by user control over her client automatically making DNS requests for any resource^3 and user control over her own source of authoritative DNS data. For example, using a client that does not automatically load resources and using a local source of DNS data like a HOSTS file or a zone file served from a logging authoritative server on localhost like tinydns.
1. https://www.ndss-symposium.org/wp-content/uploads/2019/02/nd...
2. http://dnscookie.com
3. Not just images or third party scripts