reconnaissance enterprise security

SecurityTrails Blog · Feb 21 · SecurityTrails team

Finding the IP address of a website behind Cloudflare

Cloudflare and other reverse proxy services can make websites faster and safer. One of the benefits of these services is that they add a layer of anonymity to mask a website's hosting provider and other details.

By using a reverse proxy service, it can be very difficult or even impossible for someone on the outside to figure out who the hosting provider is that’s originating the website. This makes it possible for content owners to remain anonymous and hide the origin IP address of their web server to protect the originating server from attacks.

How can you find out the true hosting provider behind a website protected by Cloudflare?

The way to locate the true hosting provider of a website behind a reverse proxy like Cloudflare is to look for clues from the past or current misconfigurations. It is important to be aware of the trails a site owner can leave in order to track them down, or, if you are the site owner yourself, to ensure you stay as anonymous as possible. For example, there's a good chance that a website owner didn’t change or even firewall the original web server’s IP. If they did, it’s possible that they stayed with the same hosting provider IP neighborhood before they switched to front ending the site with Cloudflare.

By using our historical DNS database, we can find out not only the IP where the site was hosted before switching to Cloudflare, we can also uncover all the previous hosting providers.

To do this:

  • Open up DNSTrails.com.
  • Enter the name of the website.
  • Go to the “Historical Data” Block.

There you can see Cloudflare as the current network provider; however, below that, you can also find the previous web hosting providers where the site was hosted, as well as the IP addresses. There is a chance they are still hosted on that network right now.

Case in point: ThePirateBay.org

ThePirateBay.org, a popular torrent network, could be hosted on the same provider where it resided previously. As you can see below, they have been hosted on Datacenter Luxembourg since 2014, although they started using Cloudflare IP protection about 2 years ago:

Pirate Bay hosting provider

On the other hand, many websites only activate Cloudflare to shield IPs for the domain and “www” subdomain records but not for some other subdomains or the MX records.

If the websites are not using any external email provider like Google Apps, Zoho mail, etc., and they host email on the same server, you can also find that information by clicking on the “MX” tab.

While there are other complex ways to find out where Cloudflare and other reverse proxied websites are hosted (like scanning IPv4 for SSL certificates, text fingerprints in the HTML and headers, Favicons and other identifiers), our historical DNS database is one of the simplest strategies to uncover your Cloudflare secured website's current web hosting provider.

Are you doing security research? Need to find out more information about any website powered by Cloudflare? Need to ensure your website is totally locked down? We can help.

Start using DNSTrails or sign up for free SecurityTrails API access today to unveil the power of our intelligent historical DNS, WHOIS and IP database.