DEF CON: New tool brings back 'domain fronting' as 'domain hiding'

After Amazon and Google stopped supporting the censorship-evading domain fronting technique on their clouds in 2018, new Noctilucent toolkit aims to bring it back in a new form as "domain hiding."
Written by Catalin Cimpanu, Contributor
Image: Erik Hunstad

At the DEF CON 28 security conference this week, a security researcher has released a new tool that can help the makers of sensitive applications evade censorship and bypass firewalls to keep services up inside problematic areas of the globe.

The new tool, named Noctilucent, was developed by Erik Hunstad, Chief Technical Officer at cyber-security firm SixGen.

According to Hunstad, Noctilucent comes to fill a role left void by cloud providers like Amazon and Google blocking "domain fronting" on their infrastructure.

Hunstad said he used the new TLS 1.3 protocol to revive domain fronting (sort of) as an anti-censorship technique, but in a new format, the researcher calls "domain hiding."

What is domain fronting

Domain fronting is a technique that has been made popular by mobile app developers in the 2010s and has been used to allow apps to bypass censorship attempts in oppressive countries.

The domain fronting technique allows clients (apps) to connect to a "front" domain, which then forwards the connection to the aapp maker's real infrastructure.

Countries who want to block an app protected by domain fronting only see the front domain, due to a technicality in how HTTPS connections would be negotiated. See the Wikipedia explanation below:

"In a domain-fronted HTTPS request, one domain appears on the "outside" of an HTTPS request in plain text-in the DNS request and SNI extention-which will be what the client wants to pretend they are targeting in the connection establishment and is the one that is visible to censors, while a different domain appears on the "inside"-in the HTTP Host header, invisible to the censor under HTTPS encryption-which would be the actual target of the connection."

If a country blocks the front domain, an app's operators only have to rotate to a new front domain, while keeping their actual and larger infrastructure in the same place -- without having to migrate thousands of servers.

Image: Erik Hunstad

Domain fronting still works today, but there are very few hosting providers that allow it. Most companies fear that they might have their entire infrastructure blocked inside a country wanting to block one or more applications.

While some providers still support it, domain fronting died in the spring of 2018, when Amazon and Google dropped support for the technique, under threats from the Russian government, which at the time wanted to block access to the Telegram app at any cost.

Telegram found other ways to hide from Russian internet censors, and the Russian government eventually rescinded the ban; however, domain fronting was never restored on AWS and Google Cloud -- effectively ending its broad use.

What is domain hiding

But since 2018, new technologies have had a chance to grow. TLS 1.3, which was barely a few weeks old in its life as a stable protocol at the time domain fronting was banned, is now widely used across the internet.

Hunstad says that under certain and easy-to-recreate conditions, apps can revive domain fronting with the help of newer technologies, and create new types of "front" domains that keep internet censors and firewalls blind to the true destination of a network connection.

"This new technique, which I'm calling domain hiding, accomplishes the same goals as domain fronting, but uses different technologies," Hunstad said in his DEF CON talk.

The technique is not entirely identical to domain fronting, but is actually much clever because it also tricks firewalls and other network monitoring technologies into thinking the user is accessing another website than the one's the app/user is actually accessing.

For example, in a "domain hiding" connection, an app might appear that it's initiating an HTTPS connection to firefox.com, but behind the scene, it's actually connecting to desired-site.com.

This is possible because the client (app) displays incorrect information in the HTTPS connection's plaintext fields, but the connection's encrypted fields contain the different information, and the one that's honored by servers.

TLSHost -- firefox.com (plaintext/visible)
SNI -- firefox.com (plaintext/visible)

HTTP Host header -- desired-site.com (encrypted/not visible)
ESNI -- desired-site.com (encrypted/not visible)

Image: Erik Hunstad

Hunstad's new Noctilucent tool, open-sourced on GitHub this week, automates the process of hiding domains with the researcher's new technique.

The tool was built to use Cloudflare as a host for "front" domains.

To use Noctilucent, Hunstad says apps have to support TLS 1.3 when initiating HTTPS connections, and also have to have their domain DNS records managed via Cloudflare (as the true domain is hidden among other Cloudflare-hosted domains).

Hunstad says domain hiding has advantages when compared to domain fronting. The biggest is that apps don't have to host all their infrastructure on the same provider as they had to do with the older domain fronting technique.

Domain hiding now allows to host their domain DNS records on Cloudflare, but host their actual servers anywhere and with any hosting provider they want.

However, just like most tools, Noctilucent has its good and bad sides. While the tool can help apps set up a new form of domain fronting and avoid censorship, it can also be useful in hiding malware command-and-control servers as well -- something that some security researchers might need to take note for future incident response investigations.

Additional technical details are available in Noctilucent's GitHub repo and Hunstad's DEF CON talk below.

Obsolete tech: Gone but not forgotten

Editorial standards