What Is Domain Fronting and How Does It Work?
Domain fronting is a networking technique that gained significant attention in cybersecurity and privacy circles because it allowed traffic to pass through censorship systems by appearing to connect to a legitimate, whitelisted destination while actually communicating with a different server. Understanding how it works requires understanding a few layers of how HTTPS connections are established.
The Key Distinction: SNI vs Host Header
When a browser initiates an HTTPS connection, two different pieces of information identify the intended server, and they occur at different points in the process.
The first is the Server Name Indication (SNI) extension in the TLS handshake. Before encryption is established, the browser sends the hostname of the server it wants to connect to in plaintext. This allows the server or CDN to present the correct certificate even if many domains share the same IP address. Because SNI is sent before encryption, it is visible to anyone monitoring the network, including firewalls and censorship systems.
The second is the Host header in the HTTP request, which is sent after the TLS tunnel is established and is therefore encrypted. This header tells the server which domain the browser is actually requesting.
How Domain Fronting Exploits This
Domain fronting exploits the fact that large CDNs serve many different customers from the same IP addresses. When you connect to a CDN IP address, you complete TLS with the CDN itself, not with your final destination. The CDN then forwards your request to the appropriate origin server based on the HTTP Host header.
In a domain fronting attack or privacy technique, the client sets the SNI to a legitimate, widely-trusted domain hosted on the same CDN. For example, it might use a Google or Amazon domain that appears on every whitelist. The firewall sees the SNI and allows the connection because it looks like the client is connecting to a trusted service.
After the encrypted tunnel is established, the HTTP Host header inside it specifies the actual intended destination, which might be a blocked service. The CDN, which is the entity reading the Host header, forwards the request accordingly. The firewall never sees the true destination because it was hidden inside the encrypted channel.
Why This Was Useful for Privacy Tools
Signal, the encrypted messaging app, publicly documented their use of domain fronting to keep the service accessible in countries where it was blocked. By routing traffic through a Google-operated domain, they made it appear that users were connecting to Google rather than Signal. Because blocking Google would disrupt huge amounts of legitimate traffic, censors were reluctant to block the entire IP range. Signal fronted their traffic through Google's App Engine infrastructure.
Tor also used domain fronting as a circumvention technique in some configurations, allowing users in highly censored environments to access the Tor network even when Tor-specific traffic was blocked.
Why Major CDNs Blocked It
In 2018, both Google and Amazon disabled domain fronting on their CDN infrastructure. Amazon explicitly prohibited it in their terms of service. Google made changes to how their App Engine handled host headers that effectively broke the technique. The stated reasons varied, but the practical effect was that these platforms could no longer be used for domain fronting regardless of the intent.
The CDN perspective on domain fronting is understandable: it allows someone to use their infrastructure to route traffic to destinations the CDN has not agreed to serve. This creates liability and policy problems. If domain A is fronting traffic to blocked-service B, the CDN is effectively acting as a proxy for B without any contractual relationship or ability to apply their content policies.
ECH: The Successor Technology
Encrypted Client Hello (ECH), formerly called ESNI, is a newer TLS extension that encrypts the SNI. With ECH, the SNI is no longer visible to network observers. This achieves a similar privacy goal to domain fronting, hiding the true destination of HTTPS connections, but through a standardised protocol extension rather than an abuse of CDN routing. ECH is gaining browser and server support and represents the direction the web is moving for this use case.