Cybersecurity researchers have uncovered a sophisticated technique that allows attackers to bypass protective DNS filtering by abusing shared Content Delivery Network (CDN) infrastructure. The method enables malicious traffic to masquerade as legitimate connections by hiding behind trusted domains—creating a dangerous blind spot for enterprise defenses.
The technique, identified by researchers at ADAMnetworks and dubbed “Underminr,” leverages weaknesses in how security systems validate DNS queries, TLS sessions, and CDN edge routing.
By manipulating these layers, attackers can establish connections that appear harmless at first glance while secretly communicating with attacker-controlled infrastructure.
How the Underminr Technique Works
In a typical scenario, a user’s system performs a DNS lookup for a trusted domain—such as whatismyipaddress.com—which is allowed by protective DNS (PDNS) controls.
However, the subsequent encrypted TLS connection is silently redirected to a different malicious domain, for example evilsite.ai, hosted on the same shared CDN edge IP.
Because both domains share the same underlying infrastructure, security tools that rely solely on DNS reputation or initial TLS inspection often fail to detect the mismatch.
This allows malicious traffic to pass through security layers undetected, effectively bypassing one of the most widely used enterprise controls.
Why Shared CDN Infrastructure Creates a Security Blind Spot
Modern CDNs host thousands—sometimes millions—of domains on shared IP addresses. While this architecture improves performance and scalability, it also introduces a key security risk: cross-tenant abuse.
Unlike traditional domain fronting—which major cloud providers restricted around 2018—Underminr operates differently:
- It uses legitimate DNS responses
- Manipulates TLS Server Name Indication (SNI)
- Alters HTTP Host headers
- Maintains seemingly valid connections throughout
This makes detection far more difficult, as the traffic appears consistent with legitimate user activity.
Attack Capabilities and Real-World Impact
Once deployed, the Underminr technique allows attackers to perform a wide range of malicious activities while blending into normal network traffic:
- Command-and-Control (C2) communications
- Data exfiltration
- VPN tunneling
- Security policy evasion
Researchers identified four primary attack modes:
1. Simple Mode
Uses a benign DNS lookup followed by a deceptive SNI during TLS connection.
2. Split Mode
Begins with a legitimate connection before switching to a malicious endpoint to evade deep packet inspection (DPI).
3. ECH Mode
Leverages Encrypted Client Hello (ECH) to fully conceal SNI information, preventing visibility into the target domain.
4. Direct-to-IP Mode
Bypasses DNS entirely by connecting directly to CDN edge IPs, eliminating DNS logs as a detection source.
These methods align with MITRE ATT&CK techniques such as protocol tunneling and abuse of external remote services, highlighting their relevance in advanced threat campaigns.
Links to Advanced Threat Actors
Researchers note that similar tactics have been observed in campaigns linked to nation-state–aligned threat groups, including China-associated actors such as:
- Flax Typhoon
- GALLIUM
These groups have historically used tools like SoftEther VPN and custom tunneling methods to maintain persistence and evade detection in enterprise environments.
The introduction of Underminr-like techniques further enhances their ability to operate covertly within trusted network channels.
Why DNS-Based Security Is No Longer Enough
Protective DNS has long been considered a foundational layer of enterprise security. However, Underminr demonstrates that DNS filtering alone is no longer sufficient.
Organizations that rely only on:
- DNS reputation filtering
- Basic TLS inspection
- Incomplete traffic visibility
are particularly vulnerable.
Without correlating DNS queries with actual connection endpoints and TLS metadata, security teams may miss critical indicators of compromise.
Defensive Measures and Mitigation Strategies
To counter this emerging threat, ADAMnetworks recommends a shift toward multi-layered traffic analysis:
- Correlate DNS queries with TLS and connection metadata
- Monitor actual destination endpoints, not just domain lookups
- Implement full proxying and traffic inspection where possible
- Enhance visibility into CDN-based traffic patterns
The company has also introduced:
- A threat intelligence-sharing initiative
- An online scanning tool to identify domain exposure and misuse
These resources aim to help organizations detect whether their infrastructure is being abused or targeted.
A Growing Risk in the Era of Shared Infrastructure
As IPv4 exhaustion continues to push more services onto shared CDN environments, the risk of cross-tenant abuse is expected to increase.
Security experts warn that techniques like Underminr could scale rapidly—especially if leveraged by automated or AI-driven attack campaigns.
Without coordinated action from:
- CDN providers
- Security vendors
- Domain owners
this attack method could significantly erode trust in DNS-based defenses and force a fundamental shift in how network security is enforced.
