Domain fronting is blocked by all major CDNs (amazon, Google, Cloudflare etc.). Domain fronting "bad" host can be detected/blocked by multi-layered Zscaler engines (IPS, Pagerisk, Yara signatures, sandbox etc.) when SSL decryption/inspection is on.
This method uses a different encrypted host header than the domain in the TLS SNI and DNS entries to hide a malicious domain inside a benign domain request. This leverages the CDN network which decrypts the host header and forwards to the malicious/bad domain after the connection to the valid domain is established. This can be done if the "good" and "bad" domains are in the same infrastructure/ provider such as Google, Amazon, Cloudflare etc.
All of these providers have blocked the use of Domain Fronting in their infrastructure and have effectively limited the practice in the wild.
Zscaler uses a multi-layered approach for threat detection and prevention including Domain Fronting. Zscaler's proxy architecture allows SSL inspection at cloud scale. When SSL inspection is turned on, the encrypted host header is visible to Zscaler and the security engines can be used to implement and restrict access to the "bad domain" and subsequent exploits.
Zscaler not only checks the domain's reputation but also includes content scanning including IPS for web and non-web. Our research team writes Yara signatures for malware files (and portions of malware files) that may be downloaded in the background. Zscaler also evaluates the page features (active content etc.) and creates a page risk score that can restrict access by policy. In addition, ML engines are used with techniques like clustering to detect malicious page features.
Lastly, the behaviour analysis engines in the cloud sandbox run dynamic analysis while detonating a zero-day file. This Zscaler sandbox is inline which allows quarantining and holding the file before it is downloaded even for the first time until a benign verdict.