Granted that Google is basically the exception here. But when I query the IP's for maps.google.com I get 142.250.179.238 and when I query google.com I get 142.250.200.14
If make a http get request to 142.250.179.238/ (the maps IP) but with the host header set to "www.google.com" I get the search page returned to me. If I make a http get request to 142.250.200.14/maps I get google maps.
OK. /maps might be a bad example because well google.com/maps is already a thing :-p
So if I make a request to 142.250.179.238 with the host youtube.com I get youtube. This is because most of googles public facing servers can act as the front door for many other google services not just the service that its dns is set to.
Not really sure it it comes under "domain fronting" because isn't that tactic many used to bypass censorship, pretend your connecting to one CloudFront customer when really wish to connect to another. Where google explictly configured their services to do this so they can easily load balance as demand and network conditions allow. Anyways I'm rambling now.
My point is, with google you can't rely on the ip address alone to determine the service (however it still wouldn't stop you peeking into connection and pulling out the host header unless ESNI was used) but as I said at the start, Google is more the exception here.
If make a http get request to 142.250.179.238/ (the maps IP) but with the host header set to "www.google.com" I get the search page returned to me. If I make a http get request to 142.250.200.14/maps I get google maps.
OK. /maps might be a bad example because well google.com/maps is already a thing :-p
So if I make a request to 142.250.179.238 with the host youtube.com I get youtube. This is because most of googles public facing servers can act as the front door for many other google services not just the service that its dns is set to.
Not really sure it it comes under "domain fronting" because isn't that tactic many used to bypass censorship, pretend your connecting to one CloudFront customer when really wish to connect to another. Where google explictly configured their services to do this so they can easily load balance as demand and network conditions allow. Anyways I'm rambling now.
My point is, with google you can't rely on the ip address alone to determine the service (however it still wouldn't stop you peeking into connection and pulling out the host header unless ESNI was used) but as I said at the start, Google is more the exception here.