2021-wei-domain
findings extracted from this paper
-
Active-probing censors who discover a shadow domain can be defeated by adding a CDN rule that only fetches from the blocked back-end when a secret custom request header is present; without it the CDN returns an innocuous response. Layering domain fronting over domain shadowing (DfDs) further hides the shadow domain by routing the initial request through an allowed front domain with the Host header set to the shadow domain, so the censor never sees the shadow domain in the SNI or DNS query even during active inspection.
-
Of 6 major CDNs surveyed (Google Cloud CDN, AWS CloudFront, Azure CDN, Fastly, Cloudflare, StackPath), 5 support full API automation of the three steps required for domain shadowing: setting the front-end, setting the back-end, and rewriting the Host header. Cloudflare restricts Host header rewriting to enterprise-tier accounts only, making it unsuitable without paid upgrade. All six CDNs allow arbitrary back-end domain binding by design, and all back-end DNS CNAMEs can be indirected to evade any CDN-side blocklist of popular domains.
-
In 200-request latency experiments, all five CDN providers used for domain shadowing yielded lower round-trip times than directly fetching from the origin server; Azure, Fastly, and StackPath showed median delays less than half those of direct visits. User-configured VPS HTTP proxies — including a powerful AWS t3a.2xlarge instance (8 vCPU, 32 GB RAM) — still underperformed CDN-based domain shadowing.
-
Google Cloud CDN and Amazon CloudFront disabled domain fronting by 2021 by enforcing SNI/Host header consistency, causing Tor Meek, Psiphon, Lantern, and Signal to halt or migrate their domain-fronting deployments. Domain shadowing avoids this failure mode entirely because it does not rely on the SNI/Host mismatch that CDNs were able to patch with a simple header equality check.
-
Domain shadowing makes all three traffic indicators — connecting URL, SNI, and Host header — appear to belong to an allowed shadow domain while fetching content from a blocked back-end domain via CDN. Unlike domain fronting, it exploits a legitimate CDN feature (arbitrary back-end binding) rather than a SNI/Host mismatch quirk, so CDNs cannot disable it by enforcing header consistency without breaking legitimate use cases such as third-party service outsourcing via CNAME. The technique was demonstrated successfully accessing www.facebook.com from a heavily censored country.