Domain Fronting Technique
Evasion technique using CDN infrastructure to disguise C2 traffic by mismatching TLS SNI fields and HTTP Host headers.
Evasion technique using CDN infrastructure to disguise C2 traffic by mismatching TLS SNI fields and HTTP Host headers.
Continue your mission
Domain fronting is a technique that uses different domain names at different layers of a communication to covertly route traffic through trusted CDN providers. It exploits the discrepancy between the SNI field in the TLS handshake and the Host header in the HTTP request to disguise the true destination of network traffic.
In a domain fronting setup, the outer TLS connection specifies a legitimate high-reputation domain in the SNI field. Network inspection sees traffic destined for a trusted domain and allows it through. Once the TLS connection reaches the CDN edge server, the inner HTTP Host header specifies a different domain, which the CDN routes to the attacker's infrastructure. Because the inner HTTP header is encrypted within TLS, network monitoring tools only see the legitimate outer domain. This technique leverages the shared hosting nature of CDNs where thousands of domains share the same edge infrastructure.
Domain fronting enabled C2 communications to bypass even sophisticated network monitoring by hiding behind trusted cloud providers. This forced major CDN providers including Google, Amazon, and Microsoft to implement domain validation that prevents SNI/Host header mismatches. Understanding domain fronting is essential for security architects designing egress controls and for analysts investigating suspicious traffic patterns to trusted cloud services.
CDA examines domain fronting within the TID domain as a case study in evasion technique evolution. Theater missions cover both the technical implementation and the defensive responses, including DNS-over-HTTPS implications and CDN-based detection strategies. This technique exemplifies why CDA emphasizes understanding network fundamentals over relying on vendor-specific detection capabilities.
CDA Theater missions that address topics covered in this article.
Rogue access point detection identifies unauthorized wireless APs on the network using WIPS sensors, wired-side monitoring, and signal triangulation to prevent network bypass.
LLM security risks include data leakage, prompt injection, model supply chain attacks, and unauthorized tool execution, requiring organizations to treat AI models as high-privilege components.
Written by CDA Editorial
Found an issue? Help improve this article.