View the IP address of a website behind CloudFlare

Cloudflare website 720

When you are a cybersecurity professional, it is sometimes needed to get the real IP address of a website which is using Cloudflare as a security layer.

Reverse proxy services, like Cloudflare, are like bodyguards for websites. They not only make websites faster and safer, but they also help keep the true identity of the website a secret. has been using it for years now.

If you want to find out where a website is hosted when it’s protected by Cloudflare, you need to become a bit of a detective. You’ll have to look for clues that might have been left behind by mistake.


NMAP dns-brute scriptEnumerate (sub)domains with Nmap. Use it to get a listing of potentially interesting (sub)domains.
WhoIS7.ruUse it to retrieve WhoIS information
DigQuickly retrieve A and MX records
Alvosec XML-RPC guideGet WordPress IP address with XML-RPC
VirusTotal and URLscanBoth platforms can be used to get IP information and domain history.
CrimeFlareThis tool by ZidanSec helps you to find IP addresses of CloudFlare protected sites
7 Tools to help you find the real IP address behind CloudFlare protected sites

Use DNS records

Start by checking the website’s DNS records. Think of these as the footprints that the website leaves behind. You can use tools like Whois or Dig to look up these records.


Websites often have little siblings called subdomains. These are like different sections of the same site. You can try to guess their names or use tools to find them.

You can use a tool like Nmap with a special script or just use tools that can help you list subdomains.

Web Applications

In some cases, web applications are installed. These might provide the real IP address. So keep an eye out for them and learn more about the Web Application as soon as you find one.

WordPress XML-RPC

You can find an IP address by making pingback XMLRPC calls. In WordPress, there’s a feature called pingback that lets one website tell another website when they’ve added a link to it. You can use this function of WordPress to get the actual IP address of the domain you are trying to identify. Alvosec provided a nice guide on how to do this.

Alvosec script for XML-RPC to get WordPress IP
Alvosec script for XML-RPC to get WordPress IP


This platform thrives on crowdsourced intelligence and the information you want, can be access for free. Make use of Virustotal and search for the domain you want. Once you have the report open, navigate to the ‘relations’ tab. There you will find a history of IP addresses bound to the specific domain you searched for.

VirusTotal Relations tab showing DNS history.
VirusTotal Relations tab showing DNS history.


Another tool which you should try is the platform. This is also free, and with some luck, the domain might have been indexed before it got protected by Cloudflare. Navigate to and use the following command to quickly get the info you want.

Search for the domain on
Search for the domain on


You can also try the CrimeFlare tool created by ZidanSec. You simply visit the website, provide the domain and you will get an IP address back. You can also download it on Github.

So here you have it, a collection of tools that you can use to identify the real IP address behind a Cloudflare protected website. If this guide has helped you forward, please do share it around.

Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author