Cloudflare is one of my favorite Internet services for webmasters and developers. I use it as a DNS server, we recommend it to our customers and to everybody who needs free CDN and security services. It’s the company that changed forever the concept of a fast & secure website.
The team at Cloudflare has built an amazing service that helps millions of people to accelerate, secure and optimize their websites for free (although they also have premium plans).
Today there are more than 5,000,000 websites using Cloudflare services, for web proxy, SSL certificates or as DNS only servers.
If you are using Cloudflare, then you already know that activating their orange cloud on your DNS records means that your domain record will be powered and going trough Cloudflare proxy servers.
Let’s see this in a practical way running a simple DNS lookup using dig to get the response reflected by Cloudflare proxy servers:
webiste.com uses Cloudflare, and this is the dig response:
www.website.com. 300 IN A 220.127.116.11
That is a Cloudflare IP range, which can be confirmed fast using whois command:
[webtech@localhost ~]$ whois 18.104.22.168 | grep Cloudflare -i NetName: CLOUDFLARENET Organization: Cloudflare, Inc. (CLOUD14)
As you see, we don’t have a way to know where this website is hosted really, we only get Cloudflare IP address, this is good if you want to protect your website.
However, if you are on the other side, making security research, a legal investigation or something that forces you to find out the real IP behind Cloudflare, then let me tell you that you are not alone.
3 methods to Reveal the Real IP address of Website Powered by Cloudflare
While proxy services like Cloudflare can help to hide the real IP address of a website, there are still some handy tricks to reveal the origin IP address behind Cloudflare Nginx Proxy servers.
How can I know if a website uses Cloudflare or not?
Take a look at their headers using the curl command, for example:
[email@example.com ~]$ curl -I https://www.cloudflare.com HTTP/2 200 date: Tue, 18 Jul 2017 13:13:13 GMT content-type: text/html; charset=utf-8 last-modified: Thu, 13 Jul 2017 22:36:06 GMT x-xss-protection: 1; mode=block strict-transport-security: max-age=31536000 x-content-type-options: nosniff x-frame-options: SAMEORIGIN served-in-seconds: 0.002 cf-cache-status: HIT expires: Tue, 18 Jul 2017 17:13:13 GMT cache-control: public, max-age=14400 server: cloudflare-nginx [firstname.lastname@example.org ~]$
If it is powered by Cloudflare you will notice “cloudflare-nginx” in the server line from the headers.
Now let’s see how to reveal the IP address behind Cloudflare services.
1. Online tools
- Crimeflare is a website that is dedicated to revealing Cloudflare powered websites.
- IPHostInfo is another website that can reveal Cloudflare websites IPs, they scan the DNS records and it may be useful sometimes.
- Censys can also help with useful information to find the IP addresses of websites powered by Cloudflare proxy servers.
2. Website History
Whoisrequest website includes a website history that can help you to find previous DNS servers they’ve been using, while this is not actually the real actual IP address, there are chances they are still hosted there, by having their DNS servers you know the nameservers prior to use the Cloudflare DNS servers.
3. Brute forcing DNS records with Nmap
Nmap security scan can help you to reveal origin IP address information. Install Nmap on your server or localhost, and run this command:
nmap -sV -sS -F XX.XX.XX.XX
Replace “XX.XX.XX.XX” with the real IP address of the website.
Expected output from Cloudflare powered servers:
[email@example.com ~]# nmap -sV -sS -F 22.214.171.124 Starting Nmap 7.40 ( https://nmap.org ) at 2017-07-18 02:10 -03 Nmap scan report for 126.96.36.199 Host is up (0.029s latency). Not shown: 96 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Cloudflare nginx 443/tcp open ssl/http Cloudflare nginx 8080/tcp open http Cloudflare nginx 8443/tcp open ssl/http Cloudflare nginx
That will confirm if the website is protected by Cloudflare or not.
This other handy command will brute force the DNS records to see if we can get additional information. DNS servers can offer a lot of useful information, for example, the “mail” DNS record usually points that you are targeting a mail server, or in this case, the entry “direct”, widely used by Cloudflare may point to the real IP address of the website.
Let’s see some examples:
nmap --script dns-brute www.website.com
Nmap scan report for website.com (188.8.131.52) Host is up (0.085s latency). rDNS record for 184.108.40.206: ec2-154-210-69-18.us-west-1.compute.amazonaws.com. Host script results: | dns-brute: | DNS Brute-force hostnames: | mail.website.com - 220.127.116.11 | ftp.website.com - 18.104.22.168 | cpanel.website.com - 22.214.171.124 | whm.website.com - 126.96.36.199 | webmail.website.com - 188.8.131.52 |_ www.website.com - 184.108.40.206
This may expose the real server’s origin IP address behind Cloudflare.
In my experience, the most useful tools are the online ones, as Nmap and other command-line based tools most of the time will fail due to firewall and network restrictions on the networks.
While Cloudflare idea of hiding IP addresses behind the proxy for their web acceleration and CDN is really good, sometimes it is widely used and abused by warez, phishing and other sources of malicious type websites that are often investigated, in this cases finding Cloudflare websites IP address is a little bit more tricky than normal websites that do not use any Cloud Proxy services.
Do you know other ways to get bypass and get origin IP address behind Cloudflare?