Domain fronting hides your traffic to a specific website by cloaking it as a different domain.
When you try to enter a website, you send three types of requests:
- A DNS request: the DNS (Domain Name System) is like the address book of the internet. It translates domain names into IP addresses;
- The HTTP (Hypertext Transfer Protocol) protocol connects users to hypertexts and world wide web;
- A TLS (Transport Layer Security) connection that protects HTTP communications by turning them into HTTPS (Hypertext Transfer Protocol Secure) and secures connections between servers and web browsers.
The domain name is translated into an IP by a DNS server and the browser establishes a connection via HTTP or HTTPS. The domain remains the same in all of these levels, and you get connected to the website.
However, in the case of domain fronting, DNS and TLS will refer to the same domain while the HTTPS level contains a different domain. The HTTPS domain is encrypted, so it can bypass censorship barriers by making it seem as though your DNS and TLS requests contain an unrestricted domain.
For example, imagine you are in mainland China and you want to access YouTube, which is blocked. In this case, you obfuscate YouTube under a domain that isn’t forbidden. Your DNS and TLS requests will refer to China Daily while your HTTPS will reroute you to YouTube.
That’s how domain fronting hides the true destination of your connection.
How to use domain fronting
To implement domain fronting both domains should be hosted by a CDN (content delivery network) server. A CDN is a network of proxy servers that distribute online content by creating copies of it on different servers. A single CDN can host many domains and a user can request content from the CDN server closest to them.
When the HTTP data is encrypted, it appears that all the data is coming from a legitimate CDN.
What is domain fronting used for?
- If you live in a restrictive country, you can use domain fronting to access restricted content. Reporters Without Borders lists 19 countries as Enemies of the Internet due to censorship. The list includes such large countries as Russia and the United States.
- Private messaging apps like Signal or Telegram employ domain fronting to guarantee privacy and to bypass censorship. As a result, people can use these apps in countries with severe web restrictions such as China, Russia, etc.
- You can also hide your internet traffic by using it together with Tor’s Meek plugin. This might be useful if you want to browse freely in oppressive areas, but it can also be used for illegal activities.
Domain fronting abuse
Hackers can use domain fronting to hide their traffic under the cloak of a legitimate website. The Russian hacker group APT29 used the Tor network to communicate with infected machines and withdraw data. To make their traffic seem legitimate, they used domain fronting with Tor’s Meek plugin.
Scammers can also use domain fronting for zero-rate frauds. Some mobile network offers plans allow you to use the internet for free just for certain websites (e.g., Facebook). Scammers can disguise their traffic by using domain fronting to make it look like it’s coming from one of those zero-rated websites and browse for free.
Google and Amazon services
In April 2018, both Google and Amazon closed their domain fronting services. Until then, Google allowed using its servers as proxies to connect to other websites. However, this was more of a loophole in the system than a formally supported feature.
Amazon CloudFront’s service implements enhanced security features against domain fronting. They also actively discourage using their service for these purposes.
As a result, Google and Amazon services can no longer be used to bypass censorship. Companies behind privacy-focused apps like Signal, WickR, or Telegram use alternative options.