What Is Domain Fronting?

Domain fronting is a technique used to bypass internet censorship and filters by hiding the true destination of a connection. It takes advantage of the way modern Content Delivery Networks (CDNs) operate. You may have heard about domain fronting in the context of Russian internet regulator Roskomnadzor (RKN) blocking Google servers, and the subsequent ban by Google and AWS on using their domains to circumvent such blocks.

How Domain Fronting Works

CDNs typically have two main components that function independently:

• External part: Handles the establishment of a secure connection and the transmission of SSL certificates.
• Internal part: Processes the actual request after decryption, usually an HTTP request.

Because these two parts are separate, you can connect to one site for the initial handshake, but after the secure connection is established, send a request to a different site. This is especially interesting with public CDNs like AWS CloudFront, where anyone can purchase access.

How Censors See CDNs

Censors aim to restrict access to specific resources. With plain HTTP, blocking a particular page is straightforward. However, with encryption (HTTPS), blocking a specific page becomes impossible. The simplest solution is to block by IP address, but this can have unwanted side effects, especially with CDNs, where many sites may share the same IP, or a single site may have many IPs.

Modern browsers send the site name (SNI) in plain text before establishing a secure connection, allowing ISPs and network operators to see which site you’re connecting to and block it if necessary.

Experiment: How Domain Fronting Looks to a Censor

Let’s see how a censor might observe a connection and how domain fronting can fool them. For this demonstration, we’ll use tshark, but you could also use tcpdump or Wireshark.

1. In one terminal, run:
   tshark -T fields -Y 'tcp.dstport == 443 and ssl.handshake.extensions_server_name' -e ssl.handshake.extensions_server_name
2. In another terminal, make an HTTPS request:
   curl -sI https://habr.com

In the first terminal, you’ll see the site name (habr.com) in the log, even though HTTPS is used.

Surprising the Censor

Now, let’s simulate the request sent by cURL:

(echo HEAD / HTTP/1.1
echo Host: habr.com
echo Connection: close
echo) | openssl s_client -quiet -servername habr.com -connect habr.com:443

You’ll get the same response as before, and the log will show a connection to habr.com.

But if you change only the server name and connect to a different domain:

(echo HEAD / HTTP/1.1
echo Host: habr.com
echo Connection: close
echo) | openssl s_client -quiet -servername habrahabr.ru -connect habrahabr.ru:443

You’ll receive the same response, but the log will show a connection to habrahabr.ru, not habr.com. The same trick works in reverse.

Other Examples

This technique also works with Yandex sites using their CDN:

(echo GET / HTTP/1.1
echo Host: music.yandex.kz
echo Connection: close
echo) | openssl s_client -quiet -servername music.yandex.ru -connect music.yandex.ru:443 | grep -Eo '<meta[^>]*?og:url[^>]*?>'

The censor’s log will show a connection to music.yandex.ru, but the page loaded is music.yandex.kz.

What’s Really Happening?

From a connection standpoint, you’re connecting to one site (e.g., google.com), but the HTTP request is actually for another site on the same CDN. This allows you to bypass censorship, as the censor sees only the front domain, not the true destination.

Real-World Use Cases

Domain fronting has been used by apps like Signal to bypass censorship in countries like Egypt, by disguising their traffic as if it were going to google.com. Google and Amazon eventually banned this practice on their platforms. Telegram has also used this method, and you can find details in their client source code.

However, domain fronting is only useful if you have your own site on the same CDN as the front domain. This is not considered a vulnerability in the CDN itself, so don’t rush to report it as a security issue.

Many popular domains on CDNs, such as media.tumblr.com, images.instagram.com, cdn.zendesk.com, and cdn.atlassian.com, can be used for domain fronting. Finding reputable domains on CDNs that censors are reluctant to block is just a matter of time and persistence.

Are Google and Amazon Helping the Bad Guys?

Some may wonder if Google and Amazon are aiding censorship by blocking domain fronting. The answer isn’t straightforward, as domain fronting can also be used for unauthorized remote access during hacks. Naturally, these companies don’t want their domains used for criminal activity, which is why they’ve restricted this technique.

It’s likely that other CDNs will follow suit and limit or prohibit domain fronting. If you run your own CDN, consider whether your services could be used for such purposes and decide how you want to handle it. At the very least, be aware that this is possible on your platform.