Take action to stop domain fronting on your application before 8 January 2024

Question

Hello I got this email from Microsoft,

You’re receiving this email because you’re currently using Azure Front Door or Azure CDN Standard from Microsoft (classic).

We’ve been making progressive changes to Azure Front Door and Azure CDN from Microsoft to align with our commitment to prevent domain fronting behavior. Starting from 8 January 2024, all existing Azure Front Door and Azure CDN Standard from Microsoft (classic) resources will block any HTTP request that exhibits domain fronting behavior. The block implementation will start roll out on 8 January 2024 and will take one week or two weeks for the change to roll out to all regions.

The following is a summary of the changes related to blocking domain fronting behavior on Azure Front Door and Azure CDN Standard from Microsoft (classic) in the past 18 months:

• On 29 April 2022, we introduced an option to enable blocking domain fronting for existing or newly created resources of these types by submitting a support request. You can find more information on this feature on the Generally available: Controls to block domain fronting behavior on customer resources update.
• On 8 November 2022, we implemented a new policy that blocks any HTTP request that exhibits domain fronting behavior on any resource of these types that was created after this date. You can learn more about this policy on the Generally available: Block domain fronting behavior on newly created customer resources update.
• On 25 September 2023, we revised the domain fronting blocking restrictions for Azure Front Door based on customer feedback and security considerations. We now allow requests with mismatch TLS SNI extension and host headers if both values are added as domains to Azure Front Door in the same subscription. You can read more about this update on the General availability: Domain fronting update on Azure Front Door and Azure CDN update.

Recommended action

If your application or API uses a different TLS SNI extension than the request Host header, and these two values aren’t added as domains to Azure Front Door in the same subscription, you’ll need to update your application or API by 8 January 2024, to avoid any potential impact from this change.

If you need any further assistance, please submit a support request with your subscription details and your Front Door or Azure CDN from Microsoft resource information.

The thing is we have 3 Front Door and CDN profile, but all of them premium.

So except the above mail is informational, what should I do to avoid our services being affected come 8 January 2024? or does it resolve automatically?

Thanks

Answer 1

@KBadejo Srinivas Bhimireddy Tim Friesen Mateo Parra Simon Gebriel Mekonen Sreenath HS Ihsan Izwer

Thank you for your patience here.

I got an update from the product team.

To provide you with more time and additional assistance, we have decided to postpone the enforcement date to January 22, 2024. This means you will have more time to make informed decisions on domain fronting and avoid any service disruption. We are also introducing two new log fields to help you identify if an Azure Front Door or Azure CDN from Microsoft (classic) resources display domain fronting behavior. The new log fields will be available on December 25, 2023. It may require up to two weeks for the enforcement of blocking changes to propagate on the global PoPs (point of presences) starting from January 22, 2024.

How can I check if my Azure Front Door and Azure CDN Standard from Microsoft (classic) resources display domain fronting behavior? 

Azure Front Door will introduce two new log fields, which will be available by the week of December 25, 2023.

• Result- which will indicate if there is a SNI and host mismatch. When you see “SSLMismatchedSNI under the Result field, it means the request passed through successfully, but with a warning of a mismatch. Such request would be rejected by Azure Front Door after January 22, 2024, due to violating domain fronting. When you see SSLMismatchedSNI under ErrorInfo, it means the request was already blocked by domain fronting.
• Sni - which will provide the specific SNI to compare with host from requestUri for further actions.

Once the log fields are supported, you need to enable access log and run the following query to obtain the list of domains with SNI/host mismatch. You can adjust the query per your needs. 

Note: To run the query for Azure CDN Standard from Microsoft (classic), please replace the first where condition with | where ResourceProvider == "MICROSOFT.CDN" and Category == "AzureCdnAccessLog". To run the query for Azure Front Door (classic), please replace the first where with | where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorAccessLog".

 

AzureDiagnostics 

//AFD standard/premium, run this to determine if any of the resources have domain fronting behavior
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"

| where result_s  == "SSLMismatchedSNI" or errorInfo_s == "SSLMismatchedSNI"

| project TimeGenerated, clientIp_s, sni_s, requestUri_s, userAgent_s

 

AzureDiagnostics 

//AFD standard/premium, run this to determine if any of the resources have domain fronting behavior but not have domain fronting blocking enabled
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"

| where result_s  == "SSLMismatchedSNI" 

| project TimeGenerated, clientIp_s, sni_s, requestUri_s, userAgent_s

 

AzureDiagnostics 

//AFD standard/premium, run this to determine if any of the resources have domain fronting behavior and have domain fronting blocking enabled. 
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"

| where result_s  == "SSLMismatchedSNI" 

| project TimeGenerated, clientIp_s, sni_s, requestUri_s, userAgent_s

The information above is shared by the product team in the blogpost below.

https://techcommunity.microsoft.com/t5/azure-networking-blog/prohibiting-domain-fronting-with-azure-front-door-and-azure-cdn/ba-p/4006619

Please follow the documentation below to enable diagnostic logging.

AFD: https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-logs#configure-logs

CDN: https://learn.microsoft.com/en-us/azure/cdn/cdn-azure-diagnostic-logs#enable-logging-with-the-azure-portal

Hope this helps! Please let me know if you have any additional questions. Thank you!

---

​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.