September 30, 2023

In earlier post , Domain Fronting technique has been discussed, since the Webservices giants blocked the technique . A concept of Domain hiding came to lime light

A new technologies have had a chance to grow. TLS 1.3, which was barely a few weeks old in its life as a stable protocol at the time domain fronting was banned, is now widely used across the internet.

In certain and easy-to-recreate conditions, apps can revive domain fronting with the help of newer technologies, and create new types of “front” domains that keep internet censors and firewalls blind to the true destination of a network connection.

The technique is not entirely identical to domain fronting, but is actually much clever because it also tricks firewalls and other network monitoring technologies into thinking the user is accessing another website than the one’s the app/user is actually accessing.

For instance in a “domain hiding” connection, an app might appear that it’s initiating an HTTPS connection to, but behind the scene, it’s actually connecting to

This is possible because the client (app) displays incorrect information in the HTTPS connection’s plaintext fields, but the connection’s encrypted fields contain the different information, and the one that’s honored by servers.

To use Noctilucent,apps have to support TLS 1.3 when initiating HTTPS connections, and also have to have their domain DNS records managed via Cloudflare. The biggest advantage is that apps don’t have to host all their infrastructure on the same provider as they had to do with the older domain fronting technique.

Domain hiding now allows to host their domain DNS records on Cloudflare, but host their actual servers anywhere and with any hosting provider they want.

Noctilucent has its good and bad sides. While the tool can help apps set up a new form of domain fronting and avoid censorship, it can also be useful in hiding malware command-and-control servers as well something that some security researchers might need to take note for future incident response investigations.

Leave a Reply

%d bloggers like this: