The Rise of Underminr: Exploiting CDN Edge Infrastructure to Bypass DNS Security
New research from ADAMnetworks has unveiled a sophisticated evasion technique dubbed “Underminr.” This method allows threat actors to bypass traditional DNS-based security controls by weaponizing the shared architectural logic of Content Delivery Networks (CDNs).
At a technical level, the vulnerability stems from the way CDNs multiplex traffic across shared edge IP addresses. In a typical Underminr workflow, a compromised endpoint performs a legitimate DNS lookup for a highly reputable, “known-good” domain (e.g., whatismyipaddress.com).
This query resolves to a specific CDN edge IP address. However, the attacker does not actually communicate with the resolved domain. Instead, they initiate a TLS handshake to that same edge IP but specify a malicious hostname (e.g., evilsite.ai) via the Server Name Indication (SNI) extension or the HTTP Host header. Because the CDN is configured to host thousands of diverse tenants on the same edge nodes, it accepts the connection and routes the traffic to the attacker’s infrastructure, leaving DNS-centric security tools completely blind to the actual destination.
The Detection Gap: DNS Resolution vs. Application-Layer Routing
This mismatch creates a critical visibility gap. Security stacks that rely heavily on DNS telemetry assume that if the DNS query was benign, the subsequent network traffic is also safe. Underminr breaks this assumption of causality. An endpoint may resolve a trusted IP—such as 104.19.223.79—but the actual encrypted session is tethered to an attacker-controlled domain. The CDN acts as a high-speed, legitimate proxy, facilitating Command-and-Control (C2) communications, data exfiltration, or policy evasion under the guise of standard web traffic.
While this bears a resemblance to domain fronting, it is a distinct evolution. Most major CDN providers implemented mitigations against traditional domain fronting around 2018 by enforcing strict parity between the SNI and the HTTP Host header. Underminr, however, circumvents these mitigations by ensuring the DNS layer remains perfectly legitimate. The “front” isn’t a mismatch of headers within a single request, but a mismatch between the resolved address and the intended destination hosted on that same shared infrastructure.

By leveraging these shared environments, adversaries can effectively blend malicious telemetry into the massive noise of legitimate CDN traffic, making signature-based or reputation-based detection nearly impossible.
Observed Attack Modalities
The research identifies several distinct modes of operation that attackers use to adapt to varying defensive postures:
- Simple Mode: Employs a legitimate DNS query followed by a deceptive SNI to reach the malicious destination.
- Split Mode: Establishes a genuine TLS session to satisfy inspection requirements before reconnecting with a malicious SNI.
- ECH Mode: Leverages Encrypted Client Hello (ECH) to hide the true destination hostname from middleboxes and inspection systems.
- Direct-to-IP Mode: Bypasses DNS telemetry entirely by connecting directly to known CDN IP ranges, ensuring no DNS logs are ever generated.
As detailed in the Underminr technical breakdown, these methods significantly lower the barrier to entry. Attackers no longer require complex, bespoke infrastructure; they simply need to find a way to “piggyback” on the existing trust of global CDN providers.
The tactics observed are consistent with those used by sophisticated, China-aligned threat groups such as Flax Typhoon, Webworm, and GALLIUM. These actors often utilize tools like SoftEtherVPN to establish encrypted tunnels that mirror standard HTTPS traffic. These activities map directly to MITRE ATT&CK techniques, specifically T1133 (External Remote Services) and T1572 (Protocol Tunneling).

Mitigation and Defensive Strategies
The Underminr discovery exposes a fundamental flaw in the “Protective DNS” model: DNS can tell you where a user intends to go, but it cannot verify where the application-layer protocol actually lands once it hits a shared edge. To defend against this, organizations must move toward a multi-layered, identity-and-signal-centric approach:
- Cross-Layer Correlation: Implement security monitoring that correlates DNS query logs with TLS handshake metadata (specifically SNI values). Discrepancies between the two should trigger immediate alerts.
- Restrict Direct-to-IP Traffic: Enforce strict egress policies that prevent internal endpoints from communicating with external IP addresses without a preceding, validated DNS resolution.
- Advanced Traffic Analysis: Deploy deep packet inspection (DPI) and behavioral analysis tools capable of detecting anomalies in TLS session patterns, even within encrypted streams.
To assist in this transition, ADAMnetworks is launching a shared threat intelligence initiative and a specialized online assessment tool designed to help enterprises identify their exposure to Underminr and similar CDN-based evasion tactics.