SecurityTrails Blog · Apr 26 · by Esteban Borges

Exploring the complete list of Cloudflare public DNS domains

Reading time: 3 minutes

We all know Cloudflare proxy services are rock solid products, but thanks to the way DNS servers and Internet protocols work, they are not as anonymous as most people think.

Cloudflare is one of the most popular all in one performance and security solutions for startups and developers.

Sometimes when you think about Cloudflare your brain automatically associates that word with anonymity. That is because one of their most used services is their CDN network, which acts as a network barrier showing their IP address instead of the origin IP behind which your content is hosted.

We all know Cloudflare proxy services are rock solid products, but thanks to the way DNS servers and Internet protocols work, they are not as anonymous as most people think. Finding the IP address of a website behind Cloudflare can be done pretty easily if you use SecurityTrails, as we learned a few weeks ago.

Today we are moving one step forward: we are excited to show you the complete list of websites powered by Cloudflare public DNS servers.

We’ve spent days finding every single DNS servers Cloudflare uses for their service plans and the big news is that we were able to find out the total number of domains hosted on Cloudflare DNS servers.

Important: this list doesn’t include the custom (private) Name Servers used by Cloudflare business and enterprise solutions, it is focused only on public name servers.

How can I know which websites are powered by Cloudflare?

There are two ways to know which sites are powered by their public name servers.

The first one, where we can do manual queries against SecurityTrails.

Let’s take (one of their Name Servers) as an example:

  1. [Login][login] to your SecurityTrails Account
  2. Enter and hit Submit button.
  3. The list of sites using as NS will appear on your screen (around 27k domain names!)

Now you know how to get the full list of sites using one specific name servers, but as you know Cloudflare handles a lot of name servers, it will be almost impossible to do it manually as they use around 390 public name servers.

The second and most advanced way to get this information is by using the powerful SecurityTrails API.

Last week we played with our powerful API to automate this process with a goal of getting the full list of domains using Cloudflare public DNS Servers by querying each server.

We did this in a for loop for all the 390+ Cloudflare Nameservers, filtering the results to avoid duplicate domain names (as you know Cloudflare DNS works using two DNS servers for each website using their services).

The result was a 61MB CSV file including 3,524,174 unique domain names using Cloudflare public DNS servers.

Do you want to know the exact domain names of these 3,453,488 websites? Download the full list from here.

Now you know that using Cloudflare isn’t as secure as you may think: your sites and their real IPs can get exposed pretty easily using our powerful API.

Are you working for a public or private security or copyright holder agency? If you need to find out more details about any websites that are proxied through Cloudflare network, now you know what is the best way to get this valuable information.

Do you want to play with Cloudflare DNS servers, or explore another company DNS map? Open a free API tier at SecurityTrails today!

Esteban Borges Blog Author

Esteban is a seasoned cybersecurity specialist, and marketing manager with nearly 20 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.

Subscribe to the SecurityTrails newsletter
Sign up for our newsletter today!

Get the best cybersec research, news, tools,
and interviews with industry leaders