Domain fronting is a technique that involves using different domain names in the Server Name Indication (SNI) field of the TLS header and the Host field of the HTTP host header.
It is a useful technique to bypass internet censorship, especially in third-world countries. Essentially it hides your traffic to a specific website by masking it as a different domain. It is one of the ways for an attacker to obfuscate their activities.
A CDN refers to “a geographically distributed group of servers which work together to provide fast delivery of Internet content” (Cloudflare). It increases the availability of a webpage to a user based on the information they are requesting and where they are located.
The following lists examples of different CDNs:
A client sends an HTTP request with the actual destination set in the HTTP host header. The DNS query and TLS SNI contain one domain (also known as the front domain) while the HTTPs header, which is hidden from the censor, by HTTPS encryption, contains the forbidden destination.
This circumvention technique disguises the true destination of the client’s message by rerouting the data through a content delivery network (CDN). Therefore, from the firewall’s perspective, the HTTPS request appears to be going to a legitimate website when in reality it is going to a malicious site that would usually be blocked. Domain fronting utilizes different domain names at different layers as you will see in the example below.
The DNS request and the TLS SNI appear in plaintext with the front domain of allowed.example. Then, if we look at the domain located at the HTTP layer, the forbidden domain, forbidden.example, exists here because it is unreadable by the censor.
In order for domain fronting to work, both the malicious website and the legitimate site must be hosted by the same CDN.
The following lists some ways that domain fronting could be used:
As explained in the earlier section, hackers can use domain fronting to hide their malicious activity behind a legitimate website. For example, a Russian hacker group, APT29 utilized the Tor network to communicate with infected machines and exfiltrate data.
Attackers may also use domain fronting to obfuscate a malware command and control (C2) traffic allowing them to mask this C2 traffic within the CDN. It waits for appropriate instruction before it is instructed to infect other systems.
The best way to defend against domain fronting is to “have a proxy server for all your internet connections leaving your corporate network that is configured for TLS interception” (Henson Security Tools). You can configure the proxy server to ensure that the “http 1.1 header matches the domain that is in the URL” and if the domains don’t match then you can generate an alert (Henson Security Tools).
Unsupervised machine learning combined with JA3 fingerprints may be used to detect domain fronting. By using unsupervised machine learning, the algorithm would be able to learn and recognize any patterns from the dataset that has been used. Using the JA3 fingerprints would detect the client application and determine whether or not it is malicious. It is extremely useful in encrypted communications therefore making it extremely beneficial as well to detect domain fronting. The fingerprint gives valuable information regarding the client such as having the ability to detect the malware based on how it communicates rather than who/want it communicates to.
In April 2018, Google and Amazon both ceased their domain fronting services and since then the rise of TLS 1.3 could be considered an upgraded version of domain fronting, known as domain hiding. Based on Erik Hunstad’s research, “network monitoring and internet censorship tools are able to be fooled on multiple levels”. You can use the Encrypted Server Name Indicator (ESNI) in TLS 1.3 to hide the true destination you are going to on a CDN without the CDN having to utilize the HTTP host header like it would in domain fronting.