Take action to stop domain fronting on your application before 8 January 2024

Question

I got this email

You’re receiving this email because you’re currently using Azure Front Door or Azure CDN Standard from Microsoft (classic).

We’ve been making progressive changes to Azure Front Door and Azure CDN from Microsoft to align with our commitment to prevent domain fronting behavior. Starting from 8 January 2024, all existing Azure Front Door and Azure CDN Standard from Microsoft (classic) resources will block any HTTP request that exhibits domain fronting behavior. The block implementation will start roll out on 8 January 2024 and will take one week or two weeks for the change to roll out to all regions.

The following is a summary of the changes related to blocking domain fronting behavior on Azure Front Door and Azure CDN Standard from Microsoft (classic) in the past 18 months:

• On 29 April 2022, we introduced an option to enable blocking domain fronting for existing or newly created resources of these types by submitting a support request. You can find more information on this feature on the Generally available: Controls to block domain fronting behavior on customer resources update.
• On 8 November 2022, we implemented a new policy that blocks any HTTP request that exhibits domain fronting behavior on any resource of these types that was created after this date. You can learn more about this policy on the Generally available: Block domain fronting behavior on newly created customer resources update.
• On 25 September 2023, we revised the domain fronting blocking restrictions for Azure Front Door based on customer feedback and security considerations. We now allow requests with mismatch TLS SNI extension and host headers if both values are added as domains to Azure Front Door in the same subscription. You can read more about this update on the General availability: Domain fronting update on Azure Front Door and Azure CDN update.

Recommended action

If your application or API uses a different TLS SNI extension than the request Host header, and these two values aren’t added as domains to Azure Front Door in the same subscription, you’ll need to update your application or API by 8 January 2024, to avoid any potential impact from this change.

If you need any further assistance, please submit a support request with your subscription details and your Front Door or Azure CDN from Microsoft resource information.

I need help with this. There are no instructions on how to filter and apply the changes.

Answer 1

@Genet Hagos

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

TL:DR;

• From November 8, 2022, all newly created Azure Front Door, Azure Front Door (classic) or Azure CDN Standard from Microsoft (classic) resources will block any HTTP request that exhibits domain fronting behavior.
  • This means the resources created before the above date were allowing the behavior.
• Starting from January 8, 2024, we'll enforce domain fronting blocking on all existing domains (the ones created even before Nov 8, 2022)
• So, if all the above resources in your environment were created after November 8, 2022 - you will not be impacted.

To provide a summary,

Refer : How does Azure Front Door handle domain git fronting behavior?

What is Domain Fronting?

Domain fronting is a technique that allows an attacker to hide the true destination of a malicious request by using a different domain name in the TLS handshake and the HTTP host header.

This networking technique enables a backend domain to utilize the security credentials of a fronting domain. For example, if you have two domains under the same content delivery network (CDN), domain #1 may have certain restrictions placed on it (regional access limitations, etc.) that domain #2 does not. By taking the valid domain #2 and placing it into the SNI header, and then using domain #1 in the HTTP header, it’s possible to circumvent those restrictions. To the outside observer, all subsequent traffic appears to be headed to the fronting domain, with no ability to discern the intended destination for particular user requests within that traffic. It is possible that the fronting domain and the backend domain do not belong to the same owner.

In what case will you be impacted by above?

If your application uses a different TLS SNI extension during the TLS negotiation from the request Host header, you should prioritize changing this behavior on your application to ensure they match. Otherwise, your application or API may be impacted by this change.

When CDN blocks a request due to a mismatch:

• The client receives an HTTP 421 Misdirected Request error code response.
• Azure CDN logs the block in the diagnostic logs under the Error Info property with the value SSLMismatchedSNI.

Refer: https://learn.microsoft.com/en-us/azure/cdn/monitoring-and-access-log#raw-logs-properties

What if your application expects this behavior to function properly?

But based on customer feedback and security considerations, Azure Front Door and Azure CDN Standard from Microsoft (classic) have revised the domain fronting blocking restrictions effective from September 25, 2023. Instead of blocking a request when the TLS SNI extension and the host header do not match, Azure Front Door will allow the mismatch if both values are added as domains in the same Azure subscription.

You can find more information in the below thread for your reference:

• https://learn.microsoft.com/en-us/answers/questions/1402901/when-is-a-domain-considered-added-as-domains-in-th

So, as long as you are not doing any domain fronting by design or by accident, then there will be no impact.

Hope this helps.

Thanks,

Kapil

---

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.