Domain Fronting Host Header
But the host header can mismatch often by design.
Domain fronting host header. In this simplest case the dns domain and the host header match. The second address is the host header in the http request header above. The host header tells the webserver which virtual host to use if set up. In this case you still have the possibility to read that header manually in your web app if you want to provide different behavior based on different domains addressed.
You can even have the same virtual host using several aliases domains and wildcard domains. The dns resolution and initial communication setup occurs for the high reputation domain while the host header the true destination is then set to the attacker controlled domain located on the same cdn. It also hopefully won t dare to. Domain fronting works at https layer and under these different requests for hostname will be different at different layers.
Domain fronting does not conform to http standards that require the sni extension and http host header to contain the same domain. In einer anforderung mittels domain fronting beinhalten dns abfrage und sni eine vorgeschobene domäne während der http host header der durch die https verschlüsselung vor dem zensor verborgen bleibt die eigentlich gewünschte domäne trägt. Among other use cases. Der http host header ist für den zensor unsichtbar nicht jedoch für den frontend server.
Domain fronting is the single best way to circumvent censorship by a firewall that ever happened. Domain fronting in a nutshell by rukavitsya. Large cloud service providers including amazon and google now actively prohibit domain fronting which has made it largely non viable as a censorship bypass technique. The host header is only transmitted via tls so no firewall can see it.
Http 1 1 introduced the concept of a host header which allows the server to host multiple virtual hosts which are selected based on the host name provided hence the term named virtual hosts. In domain fronting hostname information will be same for dns request and sni whereas http host header which is hidden from censors from https encryption will carry another hostname.