Domain Fronting is a technique used to bypass filtering and surveillance by concealing the true destination of a request. It has been used to evade censorship, bypass security controls, and connect to C2 (Command and Control) Servers .
HTTP History
The HTTP 1.0 protocol developed in the early 1990s, used one host per IP. With the explosion of the internet and the issue with the exhaustion of the IPv4 addresses, HTTP 1.1 was developed . HTTP 1.1 made it possible for IPs to be shared among website with the introduction of the host header. When a client make a request to a server for a website, it would form a TCP connection with the server using the IP and the application layer read the host header of the HTTP request to respond with the appropriate website.
To make these requests secure, TLS (formerly SSL) is used to encrypt the traffic. TLS also faced issues with hosting multiple HTTPS websites, hence SNI (Server Name Indication) was introduced as an extension to TLS. SNI indicates the domain whose certificate the client wants to form the TLS connection with.
The rollout of these features, combined with the lack of proper validation between protocols operating at different layers of the network stack, made this technique possible.
Domain Fronting
Domain Fronting is a technique that leverages CDNs to mask traffic. The client sends a ClientHello to start negotiating the TLS tunnel. In the ClientHello message, the client specifies the front domain (front.example.com) in the SNI field. So the TLS tunnel is formed with the parameters of the front domain.
To an external entity, it maybe companies , governments or any one else viewing the connection, the client would seem communicating with the front domain. The external entities can view the SNI and it is the only way for determine the destination .
Once the TLS tunnel is established, all HTTP requests are now encrypted , which includes the host header with the actual destination domain. The CDNs route the requests to the destination domain using their internal routing. While routing the requests, the CDN does not validate a match between the domain in the SNI and the host fields. This allows Domain Fronting.
Is it still allowed (2025)
Domain Fronting in now blocked by major platforms. While it helps bypassing firewalls, masking destinations and helped overcome censorship, malicious actors also abused the quirks . It was used to connect to command-and-control servers, for distributing malware or also espionage .
In 2018 Russia blocked IPs of all major CDNs to stop Domain Fronting which caused issues for other companies and services using the CDN. Later Google and AWS disabled Domain Fronting, so as not get completely banned. While no direct regulation exists today banning the technique, most providers voluntarily dont allow it.
Top comments (0)