Reveal Real IP address of Website Powered by CloudFlare

Cloudflare is one of my favorite Internet services for webmasters and developers. I use it as a DNS server, we recommend it to our customers and to everybody who needs free CDN and security services. It’s the company that changed forever the concept of a fast & secure website.

The team at Cloudflare has built an amazing service that helps millions of people to accelerate, secure and optimize their websites for free (although they also have premium plans).

Today there are more than 5,000,000 websites using Cloudflare services, for web proxy, SSL certificates or as DNS only servers.

If you are using Cloudflare, then you already know that activating their orange cloud on your DNS records means that your domain record will be powered and going trough Cloudflare proxy servers.

Let’s see this in a practical way running a simple DNS lookup using dig to get the response reflected by Cloudflare proxy servers: uses Cloudflare, and this is the dig response: 300 IN A

That is a Cloudflare IP range, which can be confirmed fast using whois command:

[webtech@localhost ~]$ whois | grep Cloudflare -i
Organization: Cloudflare, Inc. (CLOUD14)

As you see, we don’t have a way to know where this website is hosted really, we only get Cloudflare IP address, this is good if you want to protect your website.

However, if you are on the other side, making security research, a legal investigation or something that forces you to find out the real IP behind Cloudflare, then let me tell you that you are not alone.

3 methods to Reveal the Real IP address of Website Powered by Cloudflare

While proxy services like Cloudflare can help to hide the real IP address of a website, there are still some handy tricks to reveal the origin IP address behind Cloudflare Nginx Proxy servers.

How can I know if a website uses Cloudflare or not?

Take a look at their headers using the curl command, for example:

[[email protected] ~]$ curl -I
HTTP/2 200 
date: Tue, 18 Jul 2017 13:13:13 GMT
content-type: text/html; charset=utf-8
last-modified: Thu, 13 Jul 2017 22:36:06 GMT
x-xss-protection: 1; mode=block
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
served-in-seconds: 0.002
cf-cache-status: HIT
expires: Tue, 18 Jul 2017 17:13:13 GMT
cache-control: public, max-age=14400
server: cloudflare-nginx
[[email protected] ~]$

If it is powered by Cloudflare you will notice “cloudflare-nginx” in the server line from the headers.

Now let’s see how to reveal the IP address behind Cloudflare services.

1. Online tools

  • Crimeflare is a website that is dedicated to revealing Cloudflare powered websites.
  • IPHostInfo is another website that can reveal Cloudflare websites IPs, they scan the DNS records and it may be useful sometimes.
  • Censys can also help with useful information to find the IP addresses of websites powered by Cloudflare proxy servers.
Censys often reveals critical information that can help you to find the original IP address behind Cloudflare
Screenshot of Censys, an online service that often reveals critical information that can help you to find the original IP address behind Cloudflare

2. Website History

Whoisrequest website includes a website history that can help you to find previous DNS servers they’ve been using, while this is not actually the real actual IP address, there are chances they are still hosted there, by having their DNS servers you know the nameservers prior to use the Cloudflare DNS servers.

3. Brute forcing DNS records with Nmap

Nmap security scan can help you to reveal origin IP address information. Install Nmap on your server or localhost, and run this command:

nmap -sV -sS -F XX.XX.XX.XX

Replace “XX.XX.XX.XX” with the real IP address of the website.
Expected output from Cloudflare powered servers:

[[email protected] ~]# nmap -sV -sS -F

Starting Nmap 7.40 ( ) at 2017-07-18 02:10 -03
Nmap scan report for
Host is up (0.029s latency).
Not shown: 96 filtered ports
80/tcp open http Cloudflare nginx
443/tcp open ssl/http Cloudflare nginx
8080/tcp open http Cloudflare nginx
8443/tcp open ssl/http Cloudflare nginx

That will confirm if the website is protected by Cloudflare or not.

This other handy command will brute force the DNS records to see if we can get additional information. DNS servers can offer a lot of useful information, for example, the “mail” DNS record usually points that you are targeting a mail server, or in this case, the entry “direct”, widely used by Cloudflare may point to the real IP address of the website.

Let’s see some examples:

nmap --script dns-brute


Nmap scan report for (
Host is up (0.085s latency).
rDNS record for

Host script results:
| dns-brute:
| DNS Brute-force hostnames:
| -
| -
| - 
| -
| -  
|_ -

This may expose the real server’s origin IP address behind Cloudflare.


In my experience, the most useful tools are the online ones, as Nmap and other command-line based tools most of the time will fail due to firewall and network restrictions on the networks.

While Cloudflare idea of hiding IP addresses behind the proxy for their web acceleration and CDN is really good, sometimes it is widely used and abused by warez, phishing and other sources of malicious type websites that are often investigated, in this cases finding Cloudflare websites IP address is a little bit more tricky than normal websites that do not use any Cloud Proxy services.

Do you know other ways to get bypass and get origin IP address behind Cloudflare?


About the Author: Santiago Borges

Experienced Sr. Linux SysAdmin and Web Technologist, passionate about building tools, automating processes, fixing server issues, troubleshooting, securing and optimizing high traffic websites.


Leave a Reply

Your email address will not be published. Required fields are marked *