What is Domain Fronting?
A technique that hides the true destination of a network connection by routing it through a major cloud provider, making it appear as traffic to the cloud provider.
Domain fronting was a powerful censorship circumvention technique that exploited CDN infrastructure.
How It Worked
- The TLS SNI field shows a legitimate domain (e.g., google.com)
- The HTTP Host header (encrypted inside TLS) specifies the actual destination
- The CDN routes to the real destination based on the Host header
- Censors see traffic to google.com — blocking it would block all Google services
Current Status
- Google, Amazon, and Microsoft disabled domain fronting in 2018
- Cloudflare never supported it
- This removed a critical tool for censorship circumvention
- Alternative techniques (meek, V2Ray, trojan) have partially replaced it
Why It Mattered
Domain fronting was used by Signal, Tor, and other privacy tools to reach users in censored countries. Its loss was a significant blow to anti-censorship efforts.
Related Terms
Obfuscation
Techniques for disguising encrypted traffic to look like normal, unencrypted traffic, used to bypass censorship systems that block VPNs and Tor.
SNI (Server Name Indication)
A TLS extension that reveals which website you're connecting to in plaintext, even when the connection is encrypted.
Tor Bridge
An unlisted Tor relay that helps users in censored regions connect to the Tor network when direct access is blocked.
Have more questions?
Use our guided flow to get the right next privacy step for Domain Fronting.
Open Guided Flow