DEFCON: Noctilucent brings back 'Domain Fronting' as 'Domain Hiding'

Image Source: Erik Hunstad

This week at the DEFCON 28 security conference, a security researcher has released a new tool that can help the makers of sensitive applications evade censorship and bypass firewalls to keep services up inside problematic areas of the globe. This tool was developed by Erik Hunstad (Chief Technical Officer at SixGen). The researcher named it Noctilucent. According to researcher, Noctilucent comes to fill a role left void by cloud providers like Amazon and Google blocking "domain fronting" on their infrastructure. Erik said he used the new TLS 1.3 protocol to revive domain fronting (sort of) as an anti-censorship technique, but in a new format, the security researcher calls "domain hiding."

What is Domain Fronting

Domain fronting is a technique that has been made popular by mobile application developers in the 2010 and has been used to allow applications to bypass censorship attempts in oppressive countries. The domain fronting technique allows clients (applications) to connect to a "front" domain, which then forwards the connection to the application maker's real infrastructure. 

Countries who want to block an application protected by domain fronting only see the front domain, due to a technicality in how HTTPS connections would be negotiated. See the Wikipedia explaination below:

Source : Wikipedia

If a country blocks the front domain, an application's operators only have to rotate to a new front domain, while keeping their actual and larger infrastructure in the same place - without having to migrate thousands of servers.

DEFCON: Noctilucent brings back 'Domain Fronting' as 'Domain Hiding'
Source: Erik Hunstad

Domain fronting still works, but there are very few hosting providers that allow it. Most companies fear that they might have their entire infrastructure blocked inside a country wanting to block one or more applications. While some providers still support it, domain fronting died in 2018, when Amazon and Google dropped support for the technique, under threats from the Russian government, which at the time wanted to block access to the Telegram app at any cost.

Telegram found other ways to hide from Russian internet censors, and the Russian government eventually rescinded the ban; however, domain fronting was never restored on AWS and Google Cloud - effectively ending its broad use.

What is Domain Hiding

Since 2018, new technologies have had a chance to grow. TLS 1.3, which was barely a few weeks old in its life as a stable protocol at the time domain fronting was banned, is now widely used across the internet. Erik says that under certain and easy-to-recreate conditions, applications can revive domain fronting with the help of newer technologies, and create new types of "front" domains that keep internet censors and firewalls blind to the true destination of a network connection.

Erik said that this new technique, which I'm calling domain hiding, accomplishes the same goals as domain fronting, but uses different technologies. The technique is not entirely identical to domain fronting, but is actually much clever because it also tricks firewalls and other network monitoring technologies into thinking the user is accessing another website than the one's the app/user is actually accessing. For example, in a "domain hiding" connection, an application might appear that it's initiating an HTTPS connection to, but behind the scene, it's actually connecting to

This is possible because the client (application) displays incorrect information in the HTTPS connection's plaintext fields, but the connection's encrypted fields contain the different information, and the one that's honored by servers.

TLSHost - (plaintext/visible)
SNI - (plaintext/visible)

HTTP Host header - (encrypted/not visible)
ESNI - (encrypted/not visible)

DEFCON: Noctilucent brings back 'Domain Fronting' as 'Domain Hiding'
Source: Erik Hudstad

Erik published their new Noctilucent tool on open-sourced on GitHub which automates the process of hiding domains with the researcher's new technique. The tool was built to use Cloudflare as a host for "front" domains. To use Noctilucent tool, Erik says applications have to support TLS 1.3 when initiating HTTPS connections, and also have to have their domain DNS records managed via Cloudflare (as the real domain is hidden among other Cloudflare-hosted domains).

The researcher says domain hiding has advantages when compared to domain fronting. The biggest is that applications don't have to host all their infrastructure on the same provider as they had to do with the older domain fronting technique. Domain hiding now allows to host their domain DNS records on Cloudflare, but host their actual servers anywhere and with any hosting provider they want.

However, just like most tools, Noctilucent tool has both its good and bad side also. While the tool can help applications set up a new form of domain fronting and avoid censorship, it can also be useful in hiding malware command-and-control servers (C2) as well - something that some security researchers might need to take note for future incident response investigations. Additional technical details are available in Noctilucent's GitHub repository and Erik Hunstad's DEFCON talk below.


Does this article being helpful to you? Let us know your thoughts in the comments section and share it with us on Facebook, Twitter, or our LinkedIn Group.


Previous Post Next Post