Domain fronting is used to conceal user traffic, cloaking it under a different domain. It’s ideal for circumventing censorship in countries like China and Egypt, although it has fallen out of favor in recent years after being blocked by a number of large CDNs.
Here’s a guide taking you through everything you need to know about domain fronting, beginning with the basics.
What is domain fronting?
Put simply, domain fronting hides your traffic when connecting to a specific website. It routes traffic through a larger platform, masking the true destination in the process. It’s hosted by a content delivery network (CDN), which is a term used to describe a network of proxy servers and data centers. A CDN can be used to host multiple domains.
The idea is to mirror legitimate traffic, allowing the user to bypass any restrictions as a consequence. When accessing a website, there are three types of requests:
- DNS request: Every device that connects to the internet has a unique IP address. A DNS (Domain Name System) request will convert a domain name into an IP address.
- HTTP: HTTP (Hypertext Transfer Protocol) is used to connect to hypertexts and the internet.
- TLS: TLS (Transport Layer Security) encrypts HTTP messages and provides a secure connection between servers and web browsers using HTTPS (Hypertext Transfer Protocol Secure).
Typically, a domain name uses a DNS server for an IP, connecting to the browser via HTTP or HTTPS. The domain remains the same at all times, and you’ll be connected to the associated website.
Domain fronting follows the same process outlined above, but it will make an HTTPS request that appears to be from a different domain. It does so by mimicking the secondary domain’s DNS and TLS requests. This will make it seem as though the user has connected from an unrestricted domain.
This method works because HTTPS protocols are encrypted. You can usually tell when HTTPS is being used to secure your online connection, because a lock icon will appear to the left of the URL at the top of your browser.
What is a Content Delivery Network (CDN)?
A Content Delivery Network (CDN) is made up of proxy servers and data centers dotted worldwide. It will route traffic to different servers to improve performance, and may store cached versions of websites to improve load times. They are also known as content distribution networks.
Domain fronting requires locating a hosting provider or CDN with a certificate that supports multiple target domains. In other words, if two domains are hosted on the same CDN, HTTPS can be used to make it seem as though the user is connecting via a website that is unrestricted. So, what’s the problem?
Google and Amazon close domain fronting services
Signal is a popular encrypted messaging service that used domain fronting to great effect. Despite being censored in countries like Egypt, Oman, Qatar, and UAE, there was a simple workaround that allowed users to gain access. As former Signal CEO Moxie Marlinspike explained;
“Unfortunately, a TLS handshake fully exposes the target hostname in plaintext, since the hostname is included in the SNI header in the clear. This remains the case even in TLS 1.3, and it gives a censor all they need.”
“However, several cloud environments were built with an idiosyncrasy that allowed us to work around this TLS metadata problem. Google and Amazon built their TLS termination layer separately from their request processing layer, such that it was possible to create what looked like a TLS connection for domain A with a request that would actually be received and processed by domain B. This is known as domain fronting.”
In other words, in order to block Signal’s domain, countries like Egypt, Oman, Qatar, and UAE would have to block google.com, which was being used to front the connection. It’s a smart workaround, as most countries would be unwilling to block every domain owned by a larger CDN.
However, it’s not infallible, and some regimes are more willing to block multiple larger domains than others. For example, in 2014, all Google services were blocked in China. This included;
- Play Store
In 2018, Google decided to stop supporting domain fronting entirely, and the same was true for Amazon (CloudFront), who followed shortly afterwards. The latter cited the rise of malware operations using domain fronting as the main reason for why it blocked support.
Alternatives such as Cloudflare have also stopped supporting domain fronting.
What is domain fronting used for?
Domain fronting is primarily used to access restricted content. It aims to bypass online censorship, which continues to rise each year. For example, we found that 27 countries appear to have upped censorship in 2022, such as Sri Lanka, who banned torrents, restricted the use of some VPNs, and enforced long blockages of social media due to protests in the country. It was also used by Tor to disguise traffic in blocked locations.
The workaround was compatible with various communication apps aiming to improve privacy, such as Signal, which is mentioned above. Telegram is another example, while advocacy group Access Now identified a dozen ‘human rights-enabling technologies’ that relied on domain fronting in 2018 (Psiphon, Lantern, Telex (in development), obsf4, ScrambleSuite, meek, meek_lite, Collateral Freedom, and GreatFire FreeBrowser).
Domain fronting can be used to conduct penetration tests. For example, Cobalt Strike software is used to emulate threats in a network. However, Cobalt Strike has also been used by malicious actors, as detailed below.
What is a domain fronting attack?
A domain fronting attack is when the workaround is used maliciously. After all, it’s more of a loophole than a dedicated feature, which is the reason why support was eventually removed by a number of larger services. For instance, rather than giving a user in China access to a blocked domain to bypass online censorship, the aim is to hide malicious infrastructure behind legitimate domains.
Domain fronting has been used by various individuals, groups, and even for state-sponsored cyberattacks. The technique helps hackers to evade detection, as it will appear to be legitimate traffic from CDNs. What’s the point of attacking via domain fronting? Malware is going to be a major concern, as well as the prospect of user data being stolen.
On a smaller scale, some companies (such as mobile operators) offer unlimited free usage of apps or sites like WhatsApp, Instagram, Facebook, and Netflix. Domain fronting has been used by scammers to make it appear as though their traffic is coming from a zero-rated website, avoiding any related charges.
Interestingly, a 2017 study into Zero-Rating fraud by Sandvine found the average user accessing the service via domain fronting ‘generated a monthly mean usage that was over 300 percent higher than the mean monthly average for all subscribers’.
Examples of a domain fronting attack
What does a domain fronting attack consist of, and what does it look like? Here are a few examples of domain fronting attacks from recent years.
Hacking and the Tor Network
In 2018, threat intelligence company Mandiant observed “Russian nation-state attackers APT29 employing domain fronting techniques for stealthy backdoor access to victim environments for at least two years.”
To do so, ATP29 used the Tor network and a domain fronting plugin called meek, and took advantage of remote access. After gaining access to the system via malware, APT29 was able to use the loophole to extract data. Domain fronting made it seem as though ATP29’s traffic was legitimate.
Myanmar & Cobalt Strike
Cisco Talos discovered a hacker using domain fronting with the Cloudflare CDN in September 2021, redirecting a Myanmar government owned-domain to a different server. As for how it worked:
“When the Cobalt Strike beacon is launched, it will submit a DNS request for a legitimate high-reputation domain hosted behind Cloudflare infrastructure and modify the subsequent HTTPs requests header to instruct the CDN to direct the traffic to an attacker-controlled host.”
How to protect against domain fronting?
Cloud providers like Google and Amazon have ended support for domain fronting, but a few CDNs still offer support. Legitimate sites hosted by a CDN might not be aware of any abuse, and it’s possible that malware is present, waiting to infect other systems.
Ethical hackers Packetlabs recommend the use of a proxy server.
They “advise clients to install it for all Internet connections configured for TLS interception. A proxy server acts as an intermediary server that can view your network traffic. Configure it so that the HTTP 1.1 host header matches the URL domain. If there’s a mismatch, you can overwrite the domain and log the action. You can also create rules to raise alerts for mismatches.”
Mandiant, who discovered APT29’s hack, suggests “monitoring for potentially interesting events and attacker methodologies, like lateral movement and new persistence creation.”
However, it’s especially difficult to detect domain fronting, given the nature of the workaround. It’s supposed to be tough to identify.
Domain hiding or domain fronting
Domain hiding is a more recent technique that uses new methods to bypass blocking. It shares similar censorship-bypassing functionality to domain fronting, and works by passing an encrypted request for one resource, which is concealed behind an unencrypted (plaintext) request for another resource. Anyone checking out the connection will only be able to see the plaintext request, rather than the encrypted request.
Domain fronting made it easy to bypass online restrictions via a number of apps and services. It was popular before it stopped being supported by bigger CDNs like Google and Amazon in 2018, but it still exists today in some shape or form. Rather than attempting to impersonate a website, it was typically used to bypass online censorship, and worked successfully until it was halted by some of the biggest names within the sector.
Despite the many positives, it has also stopped being supported by a number of smaller services such as Azure, Google, Amazon, and more.