Domain borrowing

as-21-Ding-Domain-Borrowing-Catch-My-C2-Traffic-If-You-Can.pdf (6.6 MB)

Summary: it is possible to use domain fronting without your own domain, by adding the existing well-trusted domain name to the selected CDNs without domain validation (the domain doesn’t have to use said CDN). Additionally, to obtain proper HTTPS certificate for this domain, one can abuse wildcard certificates for well-trusted domains and add a subdomain of such domain name to the CDN panel (the domain should use the CDN in this case).

Domain Borrowing vs. Others

Detection method Domain Borrowing Domain Fronting Domain Hiding
high reputation SNI :white_check_mark: :white_check_mark: :white_check_mark:
high reputation Host :white_check_mark: :x: —[2]
check if SNI == Host :white_check_mark: :x: —[2]
valid HTTPS certificates :white_check_mark: :white_check_mark: :white_check_mark:
without ESNI[1] :white_check_mark: :white_check_mark: :x:

[1] ESNI will be blocked by some country-wide and enterprise firewalls
[2] TLSv1.3 + ESNI cannot be decrypted by well-known firewalls currently

I am not sure, but this may be the same idea as domain shadowing, which was published around the same time.

The idea of domain shadowing (DS), at least how is it outlined in the paper and implemented in browser extension, is to utilize CDN to access a specified fixed website using a fixed (sub)domain of another existing or non-existing domain, using CDN routing/host rewriting feature only. There’s no VPS/web hosting to proxy the traffic to, and there’s no software “client” application per se, except browser extension which uses CDN’s API. This is somewhat similar to web proxy (also called “anonymizer” sometimes), except it’s “running” on a CDN, not on a server.

You need to buy the domain for (regular) domain shadowing. SNI == Host.

Domain Fronting and Shadowing (DfDs) improves this idea a bit further, by using the fact that not all CDNs perform domain validation, and some even allow to add non-exiting domain names. I’m not sure whether it provides proper TLS certificate for such configuration, the authors do not mention that anywhere. It probably doesn’t.

You don’t need to buy the domain for domain fronting and shadowing, you use a random one, even non-delegated. SNI != Host. You need to directly connect to CDN’s IP address, without DNS. Probably not a valid HTTPS certificate.

Enhanced DfDs (DfDs++) state that you can use (regular) domain fronting with this technique: just use any reputable domain name already present on the CDN as SNI.

You don’t need to buy the domain for enhanced DfDs++, you use a trusted one, which already uses this CDN. SNI != Host.

However, Domain Borrowing is different:

  1. It allows to use (and configure your way) any subdomains of high-reputation domain. The domain should be already present on CDN, subdomains should not.
  2. SNI == Host, works even with NGFWs/proxies re-encrypting the traffic and checking for SNI == Host equality.
  3. You receive valid wildcard HTTPS certificate of high-reputation domain.

So, no, these two methods are different, despite being similar in some aspects.