Cloudflare and other reverse proxy services can make websites faster and safer. One of the benefits of these services is that they add a layer of anonymity to mask a website’s hosting provider and other details.
By using a reverse proxy service, it can be very difficult or even impossible for someone on the outside to figure out who the hosting provider is that’s originating the website. This makes it possible for content owners to remain anonymous and hide the origin IP address of their web server to protect the originating server from attacks.
How can you find out the true hosting provider behind a website protected by Cloudflare?
The way to locate the true hosting provider of a website behind a reverse proxy like Cloudflare is to look for clues from the past or current misconfigurations. It is important to be aware of the trails a site owner can leave in order to track them down, or, if you are the site owner yourself, to ensure you stay as anonymous as possible. For example, there’s a good chance that a website owner didn’t change or even firewall the original web server’s IP. If they did, it’s possible that they stayed with the same hosting provider IP neighborhood before they switched to front ending the site with Cloudflare.
By using a historical DNS database, we can find out not only the IP where the site was hosted before switching to Cloudflare, we can also uncover all the previous hosting providers.
To do this:
- Open up DNSTrails.com.
- Enter the name of the website.
- Go to the “Historical Data” Block.
There you can see Cloudflare as the current network provider; however, below that, you can also find the previous web hosting providers where the site was hosted, as well as the IP addresses. There is a chance they are still hosted on that network right now.
Case in point: ThePirateBay.org
ThePirateBay.org, a popular torrent network, could be hosted on the same provider where it resided previously. As you can see below, they have been hosted on Datacenter Luxembourg since 2014, although they started using Cloudflare IP protection about 2 years ago:
On the other hand, many websites only activate Cloudflare to shield IPs for the domain and “www” subdomain records but not for some other subdomains or the MX records.
If the websites are not using any external email provider like Google Apps, Zoho mail, etc., and they host email on the same server, you can also find that information by clicking on the “MX” tab.
While there are other complex ways to find out where Cloudflare and other reverse proxied websites are hosted (like scanning IPv4 for SSL certificates, text fingerprints in the HTML and headers, Favicons and other identifiers), a historical DNS database is one of the simplest strategies to uncover your Cloudflare secured website’s current web hosting provider.
Now you know how to find the real IP address of the website which is behind CloudFlare.
Learn something new everyday!