Hackers Bypass DNS Filters Using Shared CDN Edge Abuse Protective

Cybersecurity researchers at ADAMnetworks have uncovered a growing trend: hackers are exploiting shared Content Delivery Network (CDN) infrastructure to bypass protective DNS filtering. Their new research details a stealthy technique that allows malicious traffic to hide behind trusted domains.

The method, dubbed “Underminr,” exploits gaps in how security systems validate DNS requests, TLS connections, and CDN edge routing, enabling attackers to make connections that appear legitimate while secretly communicating with malicious destinations.

In observed cases, a user’s system resolves a trusted domain, such as whatismyipaddress.com, which is permitted by protective DNS (PDNS).

However, the actual encrypted connection is redirected to a different domain, like evilsite.ai, hosted on the same shared CDN edge IP.

Because many enterprise defenses rely on DNS reputation or initial TLS inspection, mismatches between DNS resolution and the final connection target often go undetected, creating a significant blind spot for defenders.

CDN Edge IPs Bypass DNS Filters

Unlike legacy domain fronting mitigated by major cloud providers around 2018, Underminr manipulates SNI and HTTP Host headers while using legitimate DNS responses, making detection and blocking far more difficult.

ADAMnetworks researchers observed that attackers can deploy this technique using simple scripts, malware, or even social engineering methods, such as ClickFix attacks, which trick users into executing commands locally.

Once active, the technique enables a wide range of malicious activity, including command-and-control (C2) communication, data exfiltration, VPN tunneling, and policy circumvention, all while appearing as normal traffic to trusted services.

The report outlines four main attack modes:

• Simple Mode: Uses a deceptive SNI after a legitimate DNS lookup.
• Split Mode: Establishes a benign connection first, then switches to a malicious one to evade DPI.
• ECH Mode: Uses Encrypted Client Hello (ECH) to completely hide SNI details.
• Direct-to-IP Mode: Bypasses DNS logging entirely by connecting directly to CDN edge IPs.

These techniques align with MITRE ATT&CK methods such as protocol tunneling and abuse of external remote services.

They have also been linked to advanced threat groups, including China-aligned actors like Flax Typhoon and GALLIUM, which use tools such as SoftEther VPN to maintain persistence and evade detection.

The broader impact is significant, as protective DNS, long considered a foundational security control, can be rendered ineffective without deeper traffic correlation.

ADAMnetworks warns that organizations relying solely on DNS filtering or partial TLS inspection are particularly vulnerable, especially in environments without full proxying or traffic decryption.

To defend against Underminr, the company recommends correlating DNS queries with connection metadata and monitoring actual connection endpoints.

Additionally, a new threat intelligence-sharing initiative and an online scanning tool have been introduced to help organizations determine whether their domains are vulnerable or being abused.

As IPv4 exhaustion continues to push more services onto shared infrastructure, the risk of cross-tenant abuse is expected to grow, raising concerns that attackers and potentially AI-driven campaigns could scale this technique globally.

Without coordinated mitigation across CDN providers, domain owners, and security vendors, Underminr could significantly weaken trust in DNS-based defenses and reshape how network security is enforced.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.