Domain fronting is a useful tool for evading online censorship and accessing the internet freely, but it can also be used by hackers and scammers. Find out more about what domain fronting is and how it works.
Jul 12, 2019 · 3 min read
Domain fronting hides your traffic to a specific website by cloaking it as a different domain.
When you try to enter a website, you send three types of requests:
The domain name is translated into an IP by a DNS server and the browser establishes a connection via HTTP or HTTPS. The domain remains the same in all of these levels, and you get connected to the website.
However, in the case of domain fronting, DNS and TLS will refer to the same domain while the HTTPS level contains a different domain. The HTTPS domain is encrypted, so it can bypass censorship barriers by making it seem as though your DNS and TLS requests contain an unrestricted domain.
For example, imagine you are in mainland China and you want to access YouTube, which is blocked. In this case, you obfuscate YouTube under a domain that isn’t forbidden. Your DNS and TLS requests will refer to China Daily while your HTTPS will reroute you to YouTube.
That’s how domain fronting hides the true destination of your connection.
To implement domain fronting both domains should be hosted by a CDN (content delivery network) server. A CDN is a network of proxy servers that distribute online content by creating copies of it on different servers. A single CDN can host many domains and a user can request content from the CDN server closest to them.
As the HTTP data is encrypted, it appears that all the data is coming from a legitimate CDN.
In April 2018, both Google and Amazon closed their domain fronting services. Until then, Google allowed using its servers as proxies to connect to other websites. However, this was more of a loophole in the system than a formally supported feature.
Amazon CloudFront’s service implements enhanced security features against domain fronting. They also actively discourage using their service for these purposes.
As a result, Google and Amazon services can no longer be used to bypass censorship. Companies behind privacy-focused apps like Signal, WickR, or Telegram use alternative options.
NordVPN offers a 30-day money-back guarantee, so you can try it risk-free!