Retrieving domain name from TLS Client Hello when Encrypted Client Hello (ECH) is enabled

v_kal · October 13, 2025, 4:51pm

Hi all,

I’m working on a WFP driver that captures outgoing TLS Client Hello packets to extract the SNI field in order to identify the destination domain. This works fine for regular TLS handshakes. However, when Encrypted Client Hello (ECH) is enabled, the domain name is no longer visible in plaintext, since it’s encrypted inside the Client Hello.

Is there any alternative WFP layer or mechanism that allows retrieving the domain name even when ECH is used? Or, alternatively, is there any reliable way to obtain the domain names for outgoing connections.

Jason_Stephenson · October 15, 2025, 10:50am

To do this you need to MITM all HTTPS traffic (to see the DOH requests used to exchange keys). This is a deep topic involving WFP flow interception, an understanding of PKI, HTTPS and TLS.

Not something to undertake lightly, and highly prone to error.

Jason

v_kal · October 16, 2025, 4:51pm

You mean setting up proxy and data decryption ? Because DOH and ECH encrypts the domain name and I couldn’t find domain name anywhere else.