[anti-censorship-team] Azure domain fronting, DNS rendezvous

David Fifield david at bamsoftware.com
Mon Mar 29 19:39:18 UTC 2021

On Sat, Mar 27, 2021 at 10:33:46AM -0400, Cecylia Bocovich wrote:
> It looks like Azure is going to shutdown domain fronting:
> https://www.microsoft.com/security/blog/2021/03/26/securing-our-approach-to-domain-fronting-within-azure/
> There isn't a time frame listed in the article, and I haven't gotten any
> notifications through my Azure account yet.

Another option is to implement this existing idea for rendezvous using
DNS (DNS over HTTPS or DNS over TLS).

It's not reflected in the ticket, but since then there is
https://www.bamsoftware.com/software/dnstt/ which implements an
encrypted, reliable channel over DNS queries and responses.
Unfortunately some sort of reliability channel is necessary, as
Snowflake client messages are longer than the ~100 bytes you can fit
into a single DNS query. But it's not really any different than the
Turbo Tunnel / KCP / smux that Snowflake is already using.

A downside is that encrypted DNS servers do not have as much blocking
resistance as we had with domain fronting.

More information about the anti-censorship-team mailing list