Research Notes - cisagov/findcdn GitHub Wiki

This page is dedicated to notes and findings during research for anyone who is using or looking to use this tool.

Using ESNI to Front Domains

As we have stated in our Domain Fronting page, Domain Fronting can be accomplished by:

  • Change the HTTP Host header to the restricted domain and using HTTPS.
    • The Host header in HTTP will be encrypted.
    • HTTPS prevents intermediate routers and firewalls from blocking the request.
  • We set the URI or intended domain URL to the resource which the firewall will allow us to access.
    • This allowed URI needs to be on the same Content Delivery Network (CDN) as our blocked domain.
  • When sending the request, the intermediate firewalls allow the request.
  • The CDN receives the request, decrypts the HTTP header, then will redirect based on the HTTP Host header.

As mentioned in the mitigation section, a CDN can implement comparisons between the decrypted Host header and the clear-text/unencrypted server name indication (SNI) header from the TLS layer. This mitigation strategy is what services such as CloudFront and Cloudflare have implemented. The protections make it hard to successfully front a domain without getting the dreadful 421 Misdirected Request error code.

Due to privacy concerns, SNI is being upgraded to support an encrypted version called Encrypted SNI (ESNI). ESNI allows for everything from the HTTP headers to the TLS headers to be sent encrypted. Although the creation of ESNI was with good intentions, ESNI can be used to circumvent the securities that prevent domain fronting. If the SNI is encrypted, Cloudflare will not be able to read what is inside of the header and, therefore, can not compare the HTTP Host header to the SNI header. This comparison is what stopped domain fronting on Cloudflare in the first place; thus, domain fronting is working again with this new technology on Cloudflare (read more about this in our Cloudflare playbook).

Because ESNI is limited to Cloudflare as of writing this, it is not possible to use this bypass on other CDN providers.

Not All Cloudfront Domains Are "Unfrontable"

As of April 2018, Cloudfront, an Amazon service, has limited the ability to perform Domain Fronting. Domain fronting no longer works on domains hosted using different AWS accounts. As stated by CloudFront "[i]f the two AWS accounts do not match, CloudFront will respond with a '421 Misdirected Request' response to give the client a chance to connect using the correct domain."

  • More information technical information from CloudFront on the changes done here.
  • Check out the Cloudfront playbook here for more information.