How Zscaler protect against Domain Fronting?


(Tommy Lambert) #1

Hi everyone,

I’m currently testing Zscaler to see if it is able to protect against Domain Fronting technique. What I do see in the log is that the first (legit) domain hit and the underlying (bad) domain as two separate line. But, I do not seems to be able to link those two events together. Currently, I’m working on a homemade apps that act as domain fronting, so I know the legit and the bad URL. In a real situation, I’m a bit on dark.

Is there any link I can put between those two events? Can I set any alerts when I call an URL, but the answer is on another domain?

Best regards,


What would be the reason for doing this?

(Jozef Krakora) #3

Hi Tom,

Thank you for your question and interest in testing Zscaler.

In short, we do detect and defeat Domain Fronting attacks. If you would like to understand more details, please open a Support ticket and ask Support Engineer to connect you with Jozef Krakora. Or you can email me directly at jkrakora [at] zscaler [.] com.

In this case, I cannot say for certain why you have two transaction logs instead of one. Generally, there would be just one transaction log for a domain fronting attack, given the initial HTTP connect would hide the “evil” domain in the http header, and then the evil domain hosted on the same infra as the good domain would give the HTTP response. If you are seeing two logs, then there were probably two HTTP/S connects from your client web browser.

I would recommend you open a Support ticket either from within your Zscaler admin console, or via this help page: - and then share the actual transaction logs that would help diagnose what is happening.

Hope this helps.