Protect Your Organization from Domain Fronting

In 2018, Google closed its "domain fronting service." Before then, Google had allowed its servers to be used as "proxies" to connect to other websites. In a nutshell, this is what domain fronting is.

In this two-part blog, we demystify domain fronting, explain why it's a part of today's expanding threat landscape, and unpack some strategies to help you protect your organization.

To understand domain fronting, we must first revisit some basic Internet concepts.

Domain Fronting: a Summary

This article introduces domain fronting, a technique that leverages CDNs to conceal a connection’s true destination by making malicious traffic appear to originate from legitimate domains. \

It reviews core Internet and CDN concepts, then explains how attackers exploit multi-tenant CDNs and host header/DNS mismatches to route traffic covertly. Although fewer CDNs support domain fronting since 2018, it remains a relevant threat; Part 2 will cover how attackers abuse it and ways to defend against it.

The Internet: Web Traffic, IP Addresses, and Routers

Every time you browse one of the 2 billion websites on the Internet, you become part of web traffic, aka Internet Protocol or IP traffic . The Internet is a global network of interconnected computers, each with a unique address to identify and differentiate it from the others. This address is its IP address.

Think of the Internet as a street with many houses, each identified by a unique number or IP address. Every website is hosted on a server. When you access a website through a browser, you generate IP traffic in the form of data bits and bytes. This data and your computer's IP address tell the webserver who is visiting the site. As you visit other websites, you move along different paths with your browser and generate more Internet traffic.

The Internet consists of multiple routers that forward user traffic to the right destination. Routers are owned by different Internet Service Providers (ISPs). No single ISP can reach every user, so ISPs interconnect their networks and exchange data traffic, allowing users worldwide to access the Internet seamlessly.

What is a Content Delivery Network (CDN)?

The early Internet content primarily consisted of static web pages. Today, it consists of millions of dynamic web pages, user-generated content (UGC), stylesheets, images, Javascript files, videos, and of course, streaming content.

Every website is located on a server, and the distance between the server and a user limits a website's loading speed. When the server and user are closer together, the website loads faster, and vice versa. For example, consider the websites of Yelp (crowd-sourced business reviews) or Whole Foods (multinational supermarket chain). Although both are accessible globally, their web servers are based in the U.S. So; these sites will load more slowly for a user from Singapore than a user in the U.S. A Content Delivery Network (CDN) eliminates this problem.

A CDN is a network of linked hosting servers. It routes traffic to whichever server has the least load to improve loading speeds and the user's website experience. The CDN stores cached versions of websites in multiple geographies with their own caching servers. It serves a copy of the web page from a server closest to the user to reduce latency and ensure fast and secure content delivery.

Today, most web traffic is served through CDNs, including traffic from major sites like Amazon, Netflix, Facebook, and millions of retail, finance, and healthcare sites.

And now, let's explore domain fronting.

What is Domain Fronting?

Hackers and scammers exploit a CDN's architecture for domain fronting. They use this technique to hide the true destination of encrypted Internet traffic behind legitimate traffic in a CDN. Simply put, hacker traffic "mirrors" reputable traffic, allowing them to get back-door access to data from a targeted network.

How Domain Fronting Works

For domain fronting, hackers take advantage of CDNs hosting multiple domains. Censors cannot block the CDN since this would also block other websites hosted on it. Hackers route their traffic to a CDN server, which then gets re-routed through a domain fronting server to its final destination. This process masks the hacker's traffic and makes it look like all Internet traffic is legitimate and coming from websites hosted on the CDN.

Every website has two addresses: the DNS domain name in the URL and the host header in the HTTP request header. For a self-hosted website without a CDN, the DNS domain name and the host header match. But for websites hosted behind a CDN, the host header can mismatch, which hackers take advantage of.

Hackers sign up for the CDN service, which assigns them a specific header value. They then masquerade as the trusted server at a genuine website like Whole Foods Market to force infected clients to use their host header instead. Thus, hackers route what appears to be trusted website traffic from a legitimate CDN to their server instead.

In Part 2, we will explore how bad actors use domain fronting to cause chaos in enterprise networks and systems.

Frequently Asked Questions

Question: What is domain fronting in simple terms?

Short answer: Domain fronting is a technique that hides the true destination of encrypted Internet traffic by making it appear to come from a legitimate, well-known domain hosted on a Content Delivery Network (CDN). In effect, attackers “borrow” the reputation and infrastructure of popular domains so their malicious traffic blends in as ordinary, trusted traffic.

Question: How do CDNs make domain fronting possible?

Short answer: CDNs host many different domains on shared infrastructure and route requests based on headers. Because censors or defenders can’t easily block an entire CDN without disrupting countless legitimate sites, attackers exploit this multi-tenant setup to route their traffic through the CDN, making it look like normal traffic to reputable domains.

Question: What’s the difference between a DNS domain name and an HTTP Host header, and why does it matter here?

Short answer: The DNS domain name is what you see in the URL and resolves to an IP address; the HTTP Host header is included in the request to indicate which site on a shared server you want. On self-hosted sites, these typically match. Behind a CDN, they can differ—attackers abuse this mismatch by supplying a Host header tied to their own CDN-backed endpoint while the visible DNS domain appears legitimate, covertly redirecting traffic to their server.

Question: If Google shut down domain fronting in 2018, is this still a threat?

Short answer: Yes. While Google and several other providers reduced or removed support, domain fronting hasn’t disappeared entirely. Fewer CDNs support it today, but the technique remains viable and relevant in the modern threat landscape.

Question: Why can’t defenders or censors simply block the domains being used?

Short answer: Blocking a fronted domain often means blocking part of a major CDN, which would disrupt many legitimate services (e.g., retail, finance, media). This collateral damage makes broad blocking impractical, allowing fronted traffic to slip through under the cover of trusted, high-volume domains.

Conclusion

Although very few CDNs now support domain fronting, it remains a viable cybersecurity threat for organizations. In Part 2 of this blog, we explore some strategies to protect your organization from bad actors leveraging this clever hacking technique.