Domain Fronting is a process that involves using different domain names in the Server Name Indication (SNI) header TLS field and the HTTP Title Host field. It is a useful way to bypass the internet ban, especially in third world countries. It actually hides your traffic from a particular website by hiding it as a separate domain. It is one of the ways in which an attacker can clarify his activities.
How does Domain Fronting work?
The client sends the HTTP request to the destination specified in the HTTP host title. DNS query and TLS-SNI contain a single domain (also known as a previous domain) while the HTTPs header, hidden in the test, by encrypting HTTPS, contains an invalid location. This avoidance process hides the true location of the client’s message by redirecting data through a content delivery network (CDN). So, from a firewall perspective, the HTTPS application appears to be going to an official website where it actually goes to a malicious site that is usually blocked. Domain prioritization uses different domain names in different layers.
What is a Content Delivery Network (CDN)?
CDN refers to “a group of locally distributed servers that work together to provide faster delivery of Internet content” (Cloudflare). Increases web page access to the user based on the information they request and where they are located.
The following lists examples of different CDNs:
- Akamai
- Cloudflare
- ICloudFront
How does Domain Fronting work?
The client sends the HTTP request with the destination specified in the HTTP host title. DNS query and TLS-SNI contain a single domain (also known as a previous domain) while the HTTPs header, hidden in the test, by encrypting HTTPS, contains an invalid location. This avoidance process hides the true location of the client’s message by redirecting data through a content delivery network (CDN). So, from a firewall perspective, the HTTPS application appears to be going to an official website where it actually goes to a malicious site that is usually blocked. Domain prioritization uses different domain names in different layers.
The DNS and TLS-SNI requests are explicitly displayed in the previously approved domain domain. After all, if we look at the domain found in the HTTP layer, the forbidden domain, for example the forbidden, is here because it is not readable by the auditor. For the domain to work, both a malicious website and an official site must be hosted by the same CDN.
Application:
Text messaging applications such as Signal and Telegram use domain priorities to avoid research that allows people in countries like China, Russia, etc. With strict internet restrictions so they can use these programs. Those living in restricted countries can use domain placement to access restricted content.
How Can You Protect Yourself:
The best way to protect yourself against a domain is to “have a server that hosts all your Internet connections