Disclaimer: The information in this article is provided for educational purpose only. The techniques described are commonly used by security researchers and penetration testers to evaluate the effectiveness of Web Application Firewall (WAF) deployments and to ensure that origin servers are properly protected.
Web application firewalls (WAFs) and the CDNs that power them—Cloudflare, Akamai, Amazon CloudFront, Fastly, etc.—sit between visitors and a site’s origin server. They proxy DNS, TLS and HTTP traffic, masking the real IP of the web server to reduce DDoS risk, absorb malicious traffic, and speed up content delivery. However, in certain cases—such as when performing a penetration test, troubleshooting performance issues, or verifying that private services are truly hidden—it becomes important to identify the actual backend server.
This is where guides on How To Find Real IP Behind CloudFlare and other WAF solutions come into play, helping security professionals confirm whether their protective layers are correctly configured.
Why You Might Need the Real IP
- Validate security posture: Confirm that sensitive services (SSH, RDP, admin panels) are not directly exposed once the WAF is bypassed.
- Accurate vulnerability scanning: Many scanners fail when they only hit the CDN; talking to the origin reveals the true patch level and software stack.
- Latency or routing analysis: Knowing where the server actually lives lets you optimise peering, choose nearer PoPs, or relocate workloads.
- Incident response: If an attacker is targeting your backend IP directly, you need to see that traffic and block at the edge firewall.
Manual Step-by-Step Workflow to Find the Real IP Behind WAF
The goal is to gather tiny leaks—DNS records, certificates, mis-routed sub-domains—and confirm a live HTTP/S response that matches the target hostname.
Baseline DNS look-ups
- Look up the A records (IPv4/IPv6) of the domain using tools like
dig,nslookup, or online services like nslookup.io. - If the WAF is in place, the returned addresses usually belong to the provider (e.g., Cloudflare ranges).
- A quick sanity check is to try different subdomains (e.g.,
mail.domain.com,ftp.domain.com) to see if any are pointed directly to the origin server instead of the WAF.
Manual Testing of Returned Addresses
- Sometimes domains have multiple A records.
- You can check each one manually in the browser or with
curl. - If the WAF is active, you’ll usually see an error page or a block message. If you find one address that bypasses the WAF, it may be the origin server.
Use Shodan
- Shodan is a search engine for internet-connected devices.
- Enter the domain name, known IPs, or SSL certificate details.
- Why useful? Shodan stores historical scans of servers, including open ports, banners, and services. You may find the server’s IP address before it was placed behind the WAF, or other exposed services still resolving to the origin.
Check SecurityTrails
- SecurityTrails provides historical DNS data.
- You can review past A records (before the WAF was enabled).
- Why useful? If the website was once exposed directly, older records might still point to the origin IP. Even if the DNS has been updated, the origin may still respond at that address.
Use FOFA
- FOFA.info is a Chinese internet asset search engine (similar to Shodan or Censys).
- It indexes domains, IPs, SSL certificates, and services.
- You can search for the domain or related certificates to discover IP addresses tied to it.
- Just like with Shodan, testing those addresses in the browser can reveal whether one is the live origin.
⚠️ Important Notes. Running these tests on systems you don’t own or don’t have permission to audit may be illegal. Always limit them to your own infrastructure or with explicit authorization.Used browser extensions to see if the site is protected by a WAF (like Amazon CloudFront).
These techniques are widely used in penetration testing, red teaming, and security audits to ensure proper WAF configuration.
If the WAF is correctly deployed and the origin IP is well-hidden, none of these methods should expose the backend. That’s the ideal security outcome.
Other Ways to Discover the Real IP Address Behind Protection
In addition to DNS history, Shodan, and FOFA, security researchers sometimes use the following methods when testing their own infrastructure to check whether a Web Application Firewall (WAF) or reverse proxy is properly hiding the backend server.
Examine SPF Records
- What it is: SPF (Sender Policy Framework) records are DNS TXT records that define which servers can send email for a domain.
- Why it matters: Sometimes, organizations accidentally include the origin server’s IP in their SPF records.
- How to check:
- Run
dig TXT domain.comor use online SPF checkers. - Look for direct IP addresses or hostnames that might reveal the origin.
- Run
Use ZoomEye
- What it is: ZoomEye is another internet asset search engine, similar to Shodan and FOFA, but widely used in Asia.
- Why it matters: It crawls the global internet and indexes devices, services, and SSL certificates.
- How to use:
- Search by domain, IP, or certificate details.
- Cross-reference results with known WAF ranges. Non-WAF IPs may be the real server.
VirusTotal and AlienVault OTX
- VirusTotal: Aggregates malware scans and network information. When users upload suspicious files or URLs, VT logs associated IPs and domains.
- AlienVault OTX (Open Threat Exchange): A collaborative threat intelligence platform that stores IP/domain relationships.
- Why it matters: Both platforms often contain historical records linking domains to IPs, including those before a WAF was added.
- How to use:
- Search the domain on VirusTotal and AlienVault OTX.
- Review the “Relations” or “Passive DNS” sections for possible origin IPs.
Automating with Bash Scripts
- What it is: Instead of manually checking different sources, security engineers often write simple Bash scripts to automate:
- DNS lookups
- API queries (Shodan, Censys, FOFA)
- Masscurl requests against candidate IPs
- Why it matters: Saves time and ensures consistency when testing multiple domains.
- Example: A script could pull all historical IPs from SecurityTrails, then
curleach one and log which respond with the real site content.
Verification (Hosts File & Burp Suite)
- Hosts file method:
- Add a candidate IP and map it to the target domain in your /etc/hosts (Linux/macOS) or C:\Windows\System32\drivers\etc\hosts (Windows).
- Open the domain in a browser. If it resolves directly to the origin and loads correctly, you’ve verified the IP.
- Burp Suite method:
- Configure Burp Suite to intercept traffic.
- Send requests directly to the candidate IP while setting the Host header to the target domain.
- If the server responds with the correct website content, that confirms the origin.
Comparative Overview of WAF / WAAP Solutions
| Provider / Solution | Type and Deployment Options | Example Infrastructure or Edge Nodes | Countries / Global Presence |
|---|---|---|---|
| Cloudflare WAF | Cloud‑based WAF, CDN, reverse proxy | Global Anycast edge network, HTTP reverse proxy | Operates in 100+ countries, hundreds of cities |
| Imperva WAF | Cloud WAF + on-site appliance hybrid deployment | Gateway filtering layer, DDoS scrubbing centres | Global deployment; ~45 DDoS scrubbing centers |
| AWS WAF | Cloud service integrated with AWS Application Gateway | Deployed across AWS edge infrastructure | Global AWS regions |
| Akamai App & API Protector | Cloud-based WAF + DDoS protection | Akamai edge network with IP scoring mechanisms | Global Akamai CDN presence |
| Fortinet FortiWeb | Physical appliance, virtual machine, or cloud service | Front-end filter appliances or VM-based deployments | Multi-region, enterprise-focused |
| Imperva (Symantec WAF) | On-premises and hybrid deployment | Deployed as appliance or hybrid gateway | Enterprise-scale but global coverage implied |
| Azure Application Gateway WAF | Cloud-based ADC + WAF integrated into Azure | Runs across Azure edge and regional data centers | Available in Azure global regions |
| Barracuda WAF | Hardware, virtual appliance, private cloud, SaaS | Edge/layer-level WAF appliances | Broad availability, enterprise customers |
| AppTrana (Indusface) | Cloud WAAP (Web Application & API Protection) | Cloud-managed platform | Global, enterprise-grade |
| ModSecurity | Open-source module (Apache, NGINX, IIS), local proxy | Runs on origin or proxy server | Deployable globally due to its open-source nature |
Useful Links & Tools
This table groups web-based services, CLI tools, browser extensions, and automation scripts into one place, making it easy to see their purpose.
| # | Tool / Service | Type | What It Does |
|---|---|---|---|
| 1 | Wappalyzer | Browser extension | Identifies technologies used by a website (CMS, frameworks, analytics) and can detect WAF presence. |
| 2 | Shodan | Search engine | Indexes internet-connected devices and services; allows search by IP, domain, SSL certs, banners, etc. |
| 3 | DNSRecon | CLI tool (Python) | Performs DNS enumeration, record analysis, and reverse lookups for domains. |
| 4 | Nmap | Network scanner | Scans networks/services; detects open ports, SSL/TLS certs, and running services. |
| 5 | ViewDNS | Web service | Provides tools like reverse IP lookup, DNS history, WHOIS, and subdomain finders. |
| 6 | SecurityTrails | DNS/IP intelligence platform | Shows current and historical DNS, IP, and WHOIS data for domains and IPs. |
| 7 | SPF Record Checker | Online checker | Validates and displays SPF (Sender Policy Framework) records for email security. |
| 8 | Favicon Hash Generator | Online utility | Generates hash of a website’s favicon, often used to identify technologies or clusters of sites. |
| 9 | Censys | Search engine | Provides data on hosts, domains, and SSL certs by scanning the global internet. |
| 10 | FOFA | Search engine (China) | Similar to Shodan/Censys; indexes IPs, domains, SSLs, and device fingerprints. |
| 11 | ZoomEye | Search engine | Another Shodan/FOFA alternative, mainly popular in Asia; indexes IPs and connected devices. |
| 12 | VirusTotal | Threat intelligence service | Aggregates antivirus scans, passive DNS, and shows related IPs/domains/subdomains. |
| 13 | AlienVault OTX | Threat intel platform | Open community-driven database of IPs/domains linked to malicious or suspicious activity. |
| 14 | Burp Suite | Web security testing tool | Intercepts and manipulates web traffic; used for penetration testing and vulnerability analysis. |
| 15 | httpx | CLI probing tool | Quickly checks availability of IPs/URLs and returns HTTP status codes and server responses. |
| 16 | Multiple URL Opener | Browser extension / tool | Opens or checks multiple URLs/IPs at once, useful for bulk validation. |
| 17 | Bash scripts / one-liners | Command-line automation | Automates enumeration, filtering, and testing of IPs/domains using system tools (dig, curl, grep). |
Conclusion
Unmasking an origin server is rarely a “single click.” Instead, you combine DNS archaeology, certificate intelligence, sub-domain misconfigurations, and direct HTTP probing until evidence converges on the same IP.
While these techniques are essential for red-team assessments and blue-team hardening, always obtain proper authorisation before scanning or connecting; many jurisdictions treat unsolicited direct access as a violation of computer-misuse law.
Used ethically, the process gives you the clarity you need to patch, firewall or relocate services that should never have been exposed.
Frequently Asked Questions
Does WAF have an IP address?
Yes. A cloud WAF like Cloudflare or Akamai uses its own IP ranges, which replace the origin server’s public IP in DNS.
Does Cloudflare hide Origin IP?
Yes. Cloudflare proxies DNS and HTTP traffic, masking the real server IP behind its network.
How to check if a website is behind WAF?
Look at DNS records, HTTP headers, or use tools like Wappalyzer and dig—they reveal if traffic routes through a WAF/CDN.
How do I create an IP set for WAF?
In cloud providers like AWS, you define an IP set (allowed or blocked ranges) and attach it to a WAF rule.
How to hide origin IP?
Point DNS to the WAF/CDN, firewall off direct server access, and allow traffic only from the provider’s IP ranges.
Does Cloudflare 1.1.1.1 hide your IP?
No. 1.1.1.1 is a DNS resolver; it doesn’t mask your IP—it only hides your DNS queries from ISPs.
How to protect an Origin server?
Restrict inbound traffic to only the WAF/CDN’s IP ranges, use ACLs, and close unused ports.
What is Origin IP ACL?
An Access Control List that whitelists only the WAF/CDN IPs to reach the origin server, blocking direct access.
How to use nslookup?
Run nslookup domain.com to resolve DNS records and see which IP addresses are returned.
Does a firewall have an IP address?
Yes. Network firewalls and WAF gateways typically have IPs on the network interface they filter traffic through.
Is a WAF a proxy?
Yes. A cloud WAF acts as a reverse proxy, inspecting and filtering HTTP/HTTPS traffic before it reaches the origin.
