Domain fronting is a technique that uses different domain names in different communication layers of an HTTPS connection to discreetly connect to a different target domain than that which is discernable to third parties monitoring the requests and connections.
- Domain fronting (Wikipedia)
victim computer -> CDN -> attacker domain
The only visible part for the Blue Team is the Server Name Indication (SNI) in the request.
- Use HTTPS
- Use a CDN so the Host HTTP header is the CND instead of the attacker’s domain. The attacker domain must be registered in the CDN. TLS 1.3 has an encrypted SNI (eSNI).
The CDN sends the request to the attacker domain.
GET / HTTP/1.1
Host: attacker-domain.com
User-Agent...
...
Limitations:
- Many CDNs now validate the the SNI or eSNI correspond to the Host HTTP header.
- Some companies break the HTTPS connection with an enterprise proxy.
- Some TLS inspection (like with Zscaler) can detect when the Host HTTP header does not match the SNI, and also remove eSNI from the request.
- It’s difficult to find a valid CDN.
- Not guarantied to be stealth depending on the company.
- Protected against domain fronting: Azure CDN, Azure Front Door.