Domain fronting is a network communication technique that involves leveraging (or abusing) content delivery networks (CDNs) to disguise the final destination of network packets by presenting them as if they were intended for a different domain than their actual endpoint. This technique can be used for both benign and malicious purposes, such as circumventing censorship or hiding malware-related communications from network security systems. Since domain fronting has been known for a few years, some popular CDN providers have implemented traffic filtering approaches to curb its use at their CDN infrastructure. However, it remains unclear to what extent domain fronting has been mitigated. To better understand whether domain fronting can still be effectively used, we propose a systematic approach to discover CDNs that are still prone to domain fronting. To this end, we leverage passive and active DNS traffic analysis to pinpoint domain names served by CDNs and build an automated tool that can be used to discover CDNs that allow domain fronting in their infrastructure. Our results reveal that domain fronting is feasible in 22 out of 30 CDNs that we tested, including some major CDN providers like Akamai and Fastly. This indicates that domain fronting remains widely available and can be easily abused for malicious purposes.

翻译：域名前置是一种网络通信技术，它利用（或滥用）内容分发网络（CDN）来伪装网络数据包的最终目的地，使其看起来像是发往与实际端点不同的域名。该技术既可用于良性目的（如规避审查），也可用于恶意目的（如向网络安全系统隐藏恶意软件相关通信）。由于域名前置技术已存在数年，部分主流CDN提供商已在其CDN基础设施中实施流量过滤措施来遏制该技术的使用。然而，域名前置的缓解程度仍不明确。为深入探究域名前置是否仍能被有效利用，我们提出了一套系统性方法，用于发现仍易受域名前置攻击的CDN。为此，我们利用被动和主动DNS流量分析来定位由CDN服务的域名，并构建了一个自动化工具，用于检测允许在其基础设施中实施域名前置的CDN。研究结果显示，在测试的30个CDN中，有22个（包括Akamai和Fastly等主要CDN提供商）仍可实现域名前置。这表明域名前置技术仍然广泛可用，并容易被滥用于恶意目的。