Accepted Solutions
Updated and improved 8/12/21
Policy code modification is currently required. The following procedure can be used for detecting blocking and logging domain fronting attempts (allowing and logging is not presently possible with UCE.).
You can create a completely new code branch as described below or you can add the code to an existing code branch to make scoping easier if scoping is required.
Create a new branch within URL Filtering..
From MVISION Cloud Management Console go to Policy >Web Policy > Policy > and activate code view.
Edit the code to add an INCLUDE statement at the top of the list of INCLUDES. Place the statement before global bypass with the name of your new branch.
Save and publish.
Go to your newly created code branch and edit the first line of code to give yourself an activate button, operate on web request only and customize the branch name if desired.
ROUTINE Domain_Fronting_Block_and_Log ON (Web.Request) [enabled="true"] { // Domain Fronting Block and Log
Add the policy code Insert policy code to block and log when (connected.host does not match URL.Host) OR (discardedhost is not empty AND does not match URL.Host), by inserting your modified version of the code after the first line and before the routine end signified by } Code should include use of customized block page so that the logs show the details of why the request was blocked.
STRING customBlockPage_Reason
STRING customBlockPage_Message = "Domain Fronting Detected"
IF MWG.CommandName.ToUpper == "CONNECT" THEN {
MWG.ConnectionVariablesAdd("ConnectedDomain", MWG.Url.Domain)
} ELSE IF MWG.ConnectionVariablesHave("ConnectedDomain") THEN {
STRING domain1 = MWG.ConnectionVariablesGet("ConnectedDomain")
STRING domain2 = MWG.Url.Domain
IF NOT (domain1.ToUpper == domain2.ToUpper) THEN {
customBlockPage_Reason = "Attempted Domain Fronting " + MWG.Url.ToString + " through " + domain1
MWG.Block (McAfee_Custom_Block_Page, customBlockPage_Reason, "URL Filtering Policy")
}
}
IF MWG.DiscardedHost != "" AND MWG.DiscardedHost != MWG.Host(MWG.Url) THEN {
customBlockPage_Reason = "Attempted Domain Fronting " + MWG.DiscardedHost + " through " + MWG.Url.ToString
MWG.Block (McAfee_Custom_Block_Page, customBlockPage_Reason, "URL Filtering Policy")
}
-------------------END Code to insert------------------------
Note that this will only block HTTPS domain fronting attempts if HTTPS Inspection is enabled in initial CONNECT request. Also the check for connected domain may over block on sites that have more than one domain served by a single connection and certificate. (Solutions to this over blocking issue are still being developed)
Code inserted into a ruleset with scoping: (Note that doing it this way renders all but skip by URL useless in the simple view).
Updated and improved 8/12/21
Policy code modification is currently required. The following procedure can be used for detecting blocking and logging domain fronting attempts (allowing and logging is not presently possible with UCE.).
You can create a completely new code branch as described below or you can add the code to an existing code branch to make scoping easier if scoping is required.
Create a new branch within URL Filtering..
From MVISION Cloud Management Console go to Policy >Web Policy > Policy > and activate code view.
Edit the code to add an INCLUDE statement at the top of the list of INCLUDES. Place the statement before global bypass with the name of your new branch.
Save and publish.
Go to your newly created code branch and edit the first line of code to give yourself an activate button, operate on web request only and customize the branch name if desired.
ROUTINE Domain_Fronting_Block_and_Log ON (Web.Request) [enabled="true"] { // Domain Fronting Block and Log
Add the policy code Insert policy code to block and log when (connected.host does not match URL.Host) OR (discardedhost is not empty AND does not match URL.Host), by inserting your modified version of the code after the first line and before the routine end signified by } Code should include use of customized block page so that the logs show the details of why the request was blocked.
STRING customBlockPage_Reason
STRING customBlockPage_Message = "Domain Fronting Detected"
IF MWG.CommandName.ToUpper == "CONNECT" THEN {
MWG.ConnectionVariablesAdd("ConnectedDomain", MWG.Url.Domain)
} ELSE IF MWG.ConnectionVariablesHave("ConnectedDomain") THEN {
STRING domain1 = MWG.ConnectionVariablesGet("ConnectedDomain")
STRING domain2 = MWG.Url.Domain
IF NOT (domain1.ToUpper == domain2.ToUpper) THEN {
customBlockPage_Reason = "Attempted Domain Fronting " + MWG.Url.ToString + " through " + domain1
MWG.Block (McAfee_Custom_Block_Page, customBlockPage_Reason, "URL Filtering Policy")
}
}
IF MWG.DiscardedHost != "" AND MWG.DiscardedHost != MWG.Host(MWG.Url) THEN {
customBlockPage_Reason = "Attempted Domain Fronting " + MWG.DiscardedHost + " through " + MWG.Url.ToString
MWG.Block (McAfee_Custom_Block_Page, customBlockPage_Reason, "URL Filtering Policy")
}
-------------------END Code to insert------------------------
Note that this will only block HTTPS domain fronting attempts if HTTPS Inspection is enabled in initial CONNECT request. Also the check for connected domain may over block on sites that have more than one domain served by a single connection and certificate. (Solutions to this over blocking issue are still being developed)
Code inserted into a ruleset with scoping: (Note that doing it this way renders all but skip by URL useless in the simple view).
You Deserve an Award
Community Help Hub
- Find Forum FAQs
- Learn How to Earn Badges
- Ask for Help
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.
Join the Community
- Get helpful solutions from product experts.
- Stay connected to product conversations that matter to you.
- Participate in product groups led by employees.
Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:
