Explained: Domain fronting

Domain fronting is a technique of using different domain names on the same HTTPS connection. Put simply, domain fronting hides your traffic when connecting to a specific website. It routes traffic through a larger platform, masking the true destination in the process.

The technique became popular in the early 2010s in the mobile app development ecosystem, where developers would configure their apps to connect to a “front” domain that would then forward the connections to the developer’s backend. This way, the developer could expand their backend to deal with growing traffic and new features without constantly having to release app updates.

But as is true or many good things, it also comes with a flipside. Domain fronting allows malicious actors to use legitimate or high-reputation domains which will typically be on the allow-lists of defenders. The legitimate domains often belong to Content Delivery Networks (CDNs), but in recent years a number of large CDNs have blocked the method. The list includes Amazon (banned in 2018), Google (2018),  Microsoft (2022), and Cloudflare (2015).

A CDN is basically a large network of proxy servers and data centers and it can be used to host multiple domains. They are also known as content distribution networks. It’s what companies like Netflix use to deliver the requested content from a server near you.

For a “normal” connection to a website, a Domian Name System (DNS) finds the IP address for the requested domain name. As I explained in the blog DNS hijacks: what to look for, DNS is the phonebook of the internet to the effect that the input is a name and the output is a number. The number that belongs to what or who you want to reach.

With two domains hosted on the same CDN, HTTPS can be used to make it seem as though the user is connecting via a website that is unrestricted. HTTPS protocols are encrypted, so it can be used to discreetly connect to a different target domain. So an attacker can hide an HTTPS request to a restricted site inside a TLS connection to an allowed site.

In domain fronting, the process is the same but it will make an HTTPS request that appears to be from a different domain. It does so by mimicking the secondary domain’s DNS and TLS requests which makes it seem as though the user has connected from another domain. This method is popular as a means to evade online censorship and bypass restrictions.

The technique was adopted by online services like Tor, Telegram, and Signal to bypass internet censorship attempts in oppressive countries. When both Amazon and Google blocked domain fronting on their platforms, some suspected the Russian government was behind it because at the time, the Russian government blocked 1.8 million AWS and Google Cloud IP addresses in an attempt to frustrate access to Telegram’s instant messenger.

Because of the ability to hide backend infrastructure, domain fronting has also gained popularity within malware operations. They can use domain fronting to set up a command and control (C2) channel on a seemingly legitimate domain to bypass defensive techniques. The owners of good reputation sites cannot prevent their hostnames being abused for this activity.

The best defense against domain fronting in an enterprise organization is a cloud-based SWG (Secure Web Gateway) service with unlimited TLS interception capacity. A secure web gateway (SWG) is a network security technology that sits between users and the internet to filter traffic and enforce acceptable use and security policies. With an SWG or other tools with similar functionality, you can detect mismatches between the TLS Server Name Indication (SNI) and the HTTPS host header, and get a warning about domain fronting.


Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

https://blog.malwarebytes.com/feed/

Leave a Reply