Find Out Real IP Behind Clouflare

     

So, you’ve come across an interesting website. You, being a geek, want to find out the website’s IP address. You have many ways to achieve this, but let’s say you use an online tool for that. You go to WhoIsHostingThis.com and type the website’s domain. Then, you get this kind of a result:

Checking a CloudFlare-activated domain/website with an online tool

The webmaster of shoppingsuggest.com has set up a CloudFlare CDN on his website. The IP address shown on the above photo, 104.28.5.50, belongs to CloudFlare. The website is indeed hosted on that server (because the way how content delivery network like CloudFlare works), but the website’s original server surely isn’t the one listed above. So, how do you find out the real server – not CloudFlare that’s just the middleman here?

The background

CloudFlare routes HTTP traffic, but the website owner probably wants to use FTP/SSH with his site as well, to transfer files with programs like WinSCP or use PuTTY for command line access. So, when the webmaster adds his site to CloudFlare, it suggests a certain configuration for him. It usually goes like this: the domain itself, including www subdomain, go through CloudFlare’s servers. However, without additional configuration, trying to get FTP/SSH access to domain.com (or www.domain.com) wouldn’t work anymore. Remember, CloudFlare does not support SSH traffic, because SSH traffic doesn’t support CloudFlare.

The solution is an additional, CloudFlare-issued subdomain that is not configured to actually go through their CDN network. So, in the initial configuration, CloudFlare also suggests that subdomain (or in the geek speech: CNAMEs) mail.domain.com is added to the DNS configuration without actually routing through CloudFlare. This way, the webmaster essentially gets access to his original server, completely bypassing the CDN service.

As pointed out, those added subdomains are actually CNAMEs, canonical names, aliases for the original domain. They can be named whatever you like. Continuing the thought, the webmaster can certainly use mail.domain.com to connect to any service located on the domain.com – be it FTP, mail or whatever. Remember, it’s only an alias of the domain, with the purpose to let you directly connect to the original server’s non-HTTP services with a memorable subdomain. The actual alias name (mail in this case) doesn’t matter, you can use it for all non-mail related connections as well!

Revealing the IP

As the CNAMEs discussed above are not routed through CloudFlare network, they point directly to the original server. Now you just have to find out the IP address of mail.domain.com in this example, the subdomain mail.shoppingsuggest.com. Ping it in Command Prompt:

Pinging a domain on Windows Command Prompt

Or with the online tool WhoIsHostingThis.com:

Checking an IP of non-CloudFlare domain with an online tool

There you go, another IP. This time the real one, 23.239.12.197 by Linode, a VPS hosting company.

Does this always work?

This method has some caveats. First, what if the website owner knows this hack and he changed the CNAMEs to less obvious ones than mail or ftp on CloudFlare settings. There’s no way for us outside users to find those subdomains out. Or what if he completely removed the CNAMEs because he doesn’t need FTP/SSH access to his website? To be honest, I don’t know if it’s a good idea, but you never know. However, usually webmasters don’t bother changing the default settings in CloudFlare which allows curious people to snoop the real IP addresses with this method.

Share Your Thoughts

Have something to say about this post? Then say it by filling the form below!

(required):

: