The technique, named Underminr by ADAMnetworks, takes advantage of the way large CDNs host many unrelated websites on the same edge IP addresses. A compromised device can make a legitimate DNS lookup for an allowed domain, receive a CDN edge IP address, and then establish an encrypted connection to a different hostname hosted on the same shared infrastructure. To a security system relying mainly on DNS logs, the request can appear to be headed to a trusted destination even when the application-layer traffic is routed elsewhere.
The finding has sharpened concern among defenders because protective DNS, widely deployed across corporate and public-sector networks, is designed to stop access to suspicious or known malicious domains at the point of resolution. Underminr undercuts that model by separating what the DNS layer sees from where the encrypted session ultimately goes. The endpoint may resolve a benign domain, but the server name indication and host header can point to another CDN tenant, including an attacker-controlled resource.
ADAMnetworks estimates that roughly 88 million domains may be exposed to the issue, with infrastructure in the United States, the United Kingdom and Canada among the most affected. A separate analysis of top-ranking websites and CDN providers found a large share of domains susceptible to the routing mismatch, reflecting the scale of shared hosting and CDN centralisation across the modern internet.
The attack resembles domain fronting, a technique that drew scrutiny in the mid-2010s after being used by espionage groups and censorship-circumvention tools. Major providers moved to limit that method by enforcing closer alignment between TLS and HTTP routing signals. Underminr differs because it can work even when server name indication and host headers match; the mismatch sits between the DNS-resolved IP address and the hostname accepted by the shared edge infrastructure.
That distinction matters for security teams. Traditional domain fronting controls look for inconsistencies inside the HTTPS request. Underminr instead exploits the fact that a single CDN IP can represent thousands of domains, making it difficult for a DNS-only control to prove that the connection following an allowed lookup is genuinely going to the same service.
Researchers have described several operating modes. One uses a permitted DNS lookup followed by a deceptive TLS connection to another hosted domain. Another combines DNS filtering with inspection gaps in the first packets of a flow. A third may benefit from Encrypted Client Hello, which can conceal the destination hostname from some monitoring systems. A direct-to-IP variant may bypass DNS telemetry altogether by connecting straight to CDN edge addresses.
The operational risks are significant. Malware could use the method to maintain command-and-control channels, proxy traffic out of restricted environments, evade egress policies or move stolen data through infrastructure that appears legitimate. Insider threats and users seeking to bypass network controls may also exploit the same weakness, particularly where organisations rely heavily on domain allowlists.
The issue comes as defenders face growing difficulty distinguishing harmful traffic from legitimate encrypted web sessions. CDNs are essential to website speed, resilience and availability, but their shared architecture creates collateral-risk problems for blocking decisions. Cutting off a trusted CDN edge IP can disrupt legitimate services, while allowing it can leave room for hidden malicious routing.
Threat actors have also become more adept at using ordinary internet services to blend into business traffic. Encrypted tunnels, remote-access tools and proxy services are common features of intrusion campaigns, including operations linked to state-backed and financially motivated groups. Underminr could lower the infrastructure burden for attackers because they may not need to build complex hosting chains to disguise outbound traffic.
Mitigation is unlikely to be solved by DNS controls alone. Security teams are being urged to correlate DNS requests, resolved IPs, TLS metadata, SNI values, host headers and CDN routing behaviour, rather than treating each layer separately. Stronger egress controls, default-deny policies for high-value systems, endpoint telemetry and anomaly detection around unusual CDN connections can reduce exposure.
CDN operators may also face pressure to tighten tenant isolation and routing validation so that requests tied to one resolved domain cannot be redirected to another tenant through shared edge behaviour. The challenge is balancing stricter enforcement with the performance and flexibility that make shared CDNs attractive to website operators.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
