Domain fronting is a useful tool for evading online censorship and accessing the internet freely, but it can also be used by hackers and scammers. Find out more about what domain fronting is and how it works.
Domain fronting hides your traffic to a specific website by cloaking it as a different domain.
When you try to enter a website, you send three types of requests:
The domain name is translated into an IP by a DNS server and the browser establishes a connection via HTTP or HTTPS. The domain remains the same in all of these levels, and you get connected to the website.
However, in the case of domain fronting, DNS and TLS will refer to the same domain while the HTTPS level contains a different domain. The HTTPS domain is encrypted, so it can bypass censorship barriers by making it seem as though your DNS and TLS requests contain an unrestricted domain.
For example, imagine you are in mainland China and you want to access YouTube, which is blocked. In this case, you obfuscate YouTube under a domain that isn’t forbidden. Your DNS and TLS requests will refer to China Daily while your HTTPS will reroute you to YouTube.
That’s how domain fronting hides the true destination of your connection.
To implement domain fronting both domains should be hosted by a CDN (content delivery network) server. A CDN is a network of proxy servers that distribute online content by creating copies of it on different servers. A single CDN can host many domains and a user can request content from the CDN server closest to them.
When the HTTP data is encrypted, it appears that all the data is coming from a legitimate CDN.
Hackers can use domain fronting to hide their traffic under the cloak of a legitimate website. The Russian hacker group APT29 used the Tor network to communicate with infected machines and withdraw data. To make their traffic seem legitimate, they used domain fronting with Tor’s Meek plugin.
Scammers can also use domain fronting for zero-rate frauds. Some mobile network offers plans allow you to use the internet for free just for certain websites (e.g., Facebook). Scammers can disguise their traffic by using domain fronting to make it look like it’s coming from one of those zero-rated websites and browse for free.
In April 2018, both Google and Amazon closed their domain fronting services. Until then, Google allowed using its servers as proxies to connect to other websites. However, this was more of a loophole in the system than a formally supported feature.
Amazon CloudFront’s service implements enhanced security features against domain fronting. They also actively discourage using their service for these purposes.
As a result, Google and Amazon services can no longer be used to bypass censorship. Companies behind privacy-focused apps like Signal, WickR, or Telegram use alternative options.
NordVPN offers a 30-day money-back guarantee, so you can try it risk-free! It also has the private DNS feature that shields your DNS requests from third parties.
Want to read more like this?
Get the latest news and tips from NordVPN.