Domain shadowing makes all three traffic indicators — connecting URL, SNI, and Host header — appear to belong to an allowed shadow domain while fetching content from a blocked back-end domain via CDN. Unlike domain fronting, it exploits a legitimate CDN feature (arbitrary back-end binding) rather than a SNI/Host mismatch quirk, so CDNs cannot disable it by enforcing header consistency without breaking legitimate use cases such as third-party service outsourcing via CNAME. The technique was demonstrated successfully accessing www.facebook.com from a heavily censored country.

Active-probing censors who discover a shadow domain can be defeated by adding a CDN rule that only fetches from the blocked back-end when a secret custom request header is present; without it the CDN returns an innocuous response. Layering domain fronting over domain shadowing (DfDs) further hides the shadow domain by routing the initial request through an allowed front domain with the Host header set to the shadow domain, so the censor never sees the shadow domain in the SNI or DNS query even during active inspection.

§6.1.2, §3.4 defense

Of 6 major CDNs surveyed (Google Cloud CDN, AWS CloudFront, Azure CDN, Fastly, Cloudflare, StackPath), 5 support full API automation of the three steps required for domain shadowing: setting the front-end, setting the back-end, and rewriting the Host header. Cloudflare restricts Host header rewriting to enterprise-tier accounts only, making it unsuitable without paid upgrade. All six CDNs allow arbitrary back-end domain binding by design, and all back-end DNS CNAMEs can be indirected to evade any CDN-side blocklist of popular domains.

§5.2, Table 1 evaluation

In 200-request latency experiments, all five CDN providers used for domain shadowing yielded lower round-trip times than directly fetching from the origin server; Azure, Fastly, and StackPath showed median delays less than half those of direct visits. User-configured VPS HTTP proxies — including a powerful AWS t3a.2xlarge instance (8 vCPU, 32 GB RAM) — still underperformed CDN-based domain shadowing.

§5.4, Figure 7 evaluation

Google Cloud CDN and Amazon CloudFront disabled domain fronting by 2021 by enforcing SNI/Host header consistency, causing Tor Meek, Psiphon, Lantern, and Signal to halt or migrate their domain-fronting deployments. Domain shadowing avoids this failure mode entirely because it does not rely on the SNI/Host mismatch that CDNs were able to patch with a simple header equality check.

§2.3 evaluation

Article 19 documents that Iran's National Information Network (NIN / SHOMA) was designed with explicit reference to China's Great Firewall as a model, with institutional mirroring: Iran's Supreme Council of Cyberspace parallels China's Cyberspace Administration of China, and both governments share a "cyber sovereignty" doctrine used to justify domestic content controls and cross-border technology transfer. The report frames Iran's filtering infrastructure as deliberately architected to replicate GFW capabilities, not as an independently developed system.

2026-article19-tightening-the-net §2, §3 dpisni-blockingdns-poisoningip-blockingbgp-hijackthrottling

GFWeb tested 1.02 billion domains against the GFW over 20 months and discovered 943,000 pay-level domains blocked by HTTP filters and 55,000 by HTTPS filters — the largest GFW blocklist dataset ever published. The HTTP-to-HTTPS ratio (17:1) confirms that the GFW's HTTPS keyword-based and SNI-based blocking covers far fewer domains than its HTTP host-header blocking, likely because HTTPS blocks carry higher collateral-damage risk.

2024-hoang-gfweb Abstract, §5.1 dpidns-poisoningip-blockingkeyword-filteringsni-blocking

The June 2025 Iran shutdown—carried out during the Iran-Israel war beginning ~June 19—did not use BGP route withdrawals as in 2019. Instead, authorities applied service-level restrictions at the national border: DNS poisoning of foreign destinations, protocol whitelisting permitting only pre-approved domestic services, and DPI to block circumvention-tool traffic. Iran's international traffic fell roughly 90% while the country's BGP routes remained advertised, making the shutdown invisible to BGP-based monitoring systems. OONI measurement volume, which totalled 121,333 in June 2025, collapsed to under 200 submissions on June 19-20.

2025-iran-shutdown-measurement Executive Summary / §2 dpidns-poisoningport-blockingip-blocking

DNS censorship of encrypted protocols is inconsistent in both China and Iran. In China, Yandex resolvers are censored only when the SNI extension is present; omitting SNI bypasses censorship for these resolvers. In Iran, DoH requires SNI omission for Quad9, Google, Adguard, CleanBrowsing, and NextDNS resolvers, but works with SNI for Yandex and Cisco resolvers. These inconsistencies suggest resolvers have been accidentally missed by censors, highlighting the value of automated tools that trial all resolver-mode combinations rather than hard-coding a single strategy. The support evaluation found 47 resolvers supporting DoH, 16 supporting DoH3, and only 8 supporting DoQ out of ~65 tested.

2026-lange-towards §6.2, Table 2 dns-poisoningsni-blockingip-blocking

DPYProxy-DNS tested 8 circumvention modes against DNS censorship from vantage points in Iran (AS201295, Mashhad) and China (AS4837, China Unicom). In Iran, DoQ was entirely uncensored even with the SNI extension present; DoH3 worked for all Cloudflare and NextDNS resolvers. Iran's censor operates in-path (not on-path like the GFW), making the "Last Response" mode (wait 3s for the last UDP reply) ineffective in Iran but highly effective in China. Auto-mode averaged 12.32s (median 8.28s) in Iran and 13.78s (median 12.90s) in China to discover a working combination.

2026-lange-towards §6.2, §6.3 dns-poisoningsni-blockingip-blocking

DPYProxy-DNS's automated probe-and-select mode identified a working DNS circumvention in an average of 13.78 seconds (median 12.90s) in China and 12.32 seconds (median 8.28s) in Iran across 100 runs each; best-case startup was 0.32s (China) and 0.47s (Iran) when the first-tried combination succeeded, while worst-case exceeded 30.72s in China and 58.16s in Iran due to the slow Last Response mode (3s fixed wait per attempt) being selected early in the randomized probe order.

2026-niere-dpyproxy-dns §6.3 dns-poisoningsni-blockingip-blocking