Domain fronting is a network communication technique that involves leveraging (or abusing) content delivery networks (CDNs) to disguise the final destination of network packets by presenting them as if they were intended for a different domain than their actual endpoint. This technique can be used for both benign and malicious purposes, such as circumventing censorship or hiding malware-related communications from network security systems. Since domain fronting has been known for a few years, some popular CDN providers have implemented traffic filtering approaches to curb its use at their CDN infrastructure. However, it remains unclear to what extent domain fronting has been mitigated. To better understand whether domain fronting can still be effectively used, we propose a systematic approach to discover CDNs that are still prone to domain fronting. To this end, we leverage passive and active DNS traffic analysis to pinpoint domain names served by CDNs and build an automated tool that can be used to discover CDNs that allow domain fronting in their infrastructure. Our results reveal that domain fronting is feasible in 22 out of 30 CDNs that we tested, including some major CDN providers like Akamai and Fastly. This indicates that domain fronting remains widely available and can be easily abused for malicious purposes.

翻译：域名前置是一种网络通信技术，通过利用（或滥用）内容分发网络（CDN）将网络数据包伪装成发往与实际终点不同的域名，从而掩盖其最终目的地。该技术可用于良性及恶意目的，例如规避网络审查或向网络安全系统隐藏与恶意软件相关的通信。由于域名前置已被发现数年，一些主流CDN提供商已在其基础设施中部署流量过滤机制以遏制此类行为。然而，该技术是否已被有效缓解仍不明确。为深入了解域名前置是否仍能被有效利用，我们提出了一种系统性方法，用于发现仍易受域名前置攻击的CDN。为此，我们通过被动和主动DNS流量分析，精准定位由CDN服务的域名，并开发了自动化工具以识别允许域名前置的CDN基础设施。研究结果表明，在测试的30个CDN中，有22个存在域名前置可行性，其中包括Akamai和Fastly等主要CDN提供商。这表明域名前置仍广泛可用，且易被滥用于恶意目的。