Domain Fronting Vs Proxy

To read more about domain fronting.

Domain fronting vs proxy. T1090 004 domain fronting adversaries may take advantage of routing schemes in content delivery networks cdns and other services which host multiple domains to obfuscate the intended destination of https traffic or traffic tunneled through. A proxy server is a server that acts as a middleman in the flow of your internet traffic so that your internet activities appear to come from somewhere else. Mon 11th feb 19. This policy would block any request if the http connect host differs from the host in the url.

New access log fields. Hardware proxy by default layer 2 unknown unicast traffic is sent to the spine proxy. In the course of this research it quickly became clear that domain fronting is currently possible despite news reports from a year ago claiming that it had been disabled by the major cloud providers. It works well as a domain hiding component of a larger circumvention system an https tunnel to a general purpose proxy.

You could connect to a proxy server located within the. Fronting hides its address from the censor and allows parties to evade blocks and access it. If the destination is not known send the packet to the spine proxy. You can add the following new access log fields to an access log format to help track possible domain fronting attempts.

If the spine proxy also does not know the address discard the packet default mode. The utility of domain fronting is not limited to https communication nor to accessing only the domains of a specific web service. Domain fronting has been around for years and i ve always understood the concept but never actually looked at exactly how it works. It send internet traffic to a cdn in this case google over an encrypted connection and the cdn then passes back this info to the proxy.

That was until recently when i did some work with chris truncer who had us set it up as part of a red team test. This behaviour is controlled by the hardware proxy option associated with a bridge domain. Domain fronting other sub techniques of proxy 4 id name. For those that are relying on either a transparent proxy for example azure firewall or aviatrix or an http connect proxy squid being a popular open source product this can be a major.

That was the point i had to get down and understand the actual inner. I m currently working on a project that uses a technique called domain fronting. Let s say for example you are physically located in new york city and you want to log into a website that is geographically restricted to only people located in the united kingdom. The hosts header domain being a proxy would be blocked by the censor if accessed directly.

A 101 on domain fronting.