Take action to stop domain fronting

Mithila Lishan 71 Reputation points
2023-12-12T07:13:47.23+00:00

I got email from azure mentioning this issue "Take action to stop domain fronting on your application before 8 January 2024".

I went through the linke that are avaible on the email and undestood what ths issue is "Domain Fronting"

1.But still i have no idea exactly what resources this issues are affected (We have not use azure front door we use CDN profile for storage accounts)

2.what kind of change that i need to do from azure side before 8th january 2024 prevent domain fronting

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,232 questions
Azure Content Delivery Network
{count} votes

1 answer

Sort by: Most helpful
  1. GitaraniSharma-MSFT 49,586 Reputation points Microsoft Employee
    2023-12-12T09:01:47.4833333+00:00

    Hello @Anonymous ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know more about the changes introduced by Azure related to domain fronting.

    I have no idea exactly what resources are affected (We have not use azure front door we use CDN profile for storage accounts)

    Beginning November 8, 2022, all newly created Azure Front Door, Azure Front Door (classic) or Azure CDN Standard from Microsoft (classic) resources will block any HTTP request that exhibits domain fronting behavior.

    So, if you are using Azure CDN, then this email/issue is related to your Azure CDN resource.

    Refer: https://azure.microsoft.com/en-us/updates/generally-available-block-domain-fronting-behavior-on-newly-created-customer-resources/

    What kind of change I need to do from Azure side before 8th January 2024 to prevent domain fronting.

    Domain fronting is a technique that allows an attacker to hide the true destination of a malicious request by using a different domain name in the TLS handshake and the HTTP host header.

    This networking technique enables a backend domain to utilize the security credentials of a fronting domain. For example, if you have two domains under the same content delivery network (CDN), domain #1 may have certain restrictions placed on it (regional access limitations, etc.) that domain #2 does not. By taking the valid domain #2 and placing it into the SNI header, and then using domain #1 in the HTTP header, it’s possible to circumvent those restrictions. To the outside observer, all subsequent traffic appears to be headed to the fronting domain, with no ability to discern the intended destination for particular user requests within that traffic. It is possible that the fronting domain and the backend domain do not belong to the same owner.

    So, if your application uses a different TLS SNI extension during the TLS negotiation from the request Host header, you should prioritize changing this behavior on your application to ensure they match. Otherwise, your application or API may be impacted by this change.

    When CDN blocks a request due to a mismatch:

    • The client receives an HTTP 421 Misdirected Request error code response.
    • Azure CDN logs the block in the diagnostic logs under the Error Info property with the value SSLMismatchedSNI.

    Refer: https://learn.microsoft.com/en-us/azure/cdn/monitoring-and-access-log#raw-logs-properties

    But based on customer feedback and security considerations, Azure Front Door and Azure CDN Standard from Microsoft (classic) have revised the domain fronting blocking restrictions effective from September 25, 2023. Instead of blocking a request when the TLS SNI extension and the host header do not match, Azure Front Door will allow the mismatch if both values are added as domains in the same Azure subscription.

    So, as long as the requests are all within the same subscription, there will not be any 421s even with the fix enabled globally past the cutoff date on January 8.

    This change should help alleviate situations with Safari, for example, where TLS sessions are reused for other hostnames if the certificate matches.

    Refer: https://azure.microsoft.com/en-us/updates/general-availability-domain-fronting-update-on-azure-front-door-and-azure-cdn/

    https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq#tls-configuration

    If the hostname sent in SNI and the hostname in the Host header are in different subscriptions, then AFD would respond with a 421.

    So, as long as you are not doing any domain fronting by design or by accident, then there will be no impact.

    You can find more information in the below thread for your reference:

    https://learn.microsoft.com/en-us/answers/questions/1402901/when-is-a-domain-considered-added-as-domains-in-th

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.