How to Bypass CDN and Discover a Website’s Real IP Address

During the information‑gathering phase of a penetration test, obtaining the real IP of a target site is essential because CDNs often mask the origin server, making further enumeration ineffective.

Detecting CDN Presence

Common methods to verify whether a domain is behind a CDN include:

Running nslookup and checking if the domain resolves to multiple IPs, which usually indicates CDN distribution.

Using online ping services (e.g., http://www.17ce.com, http://ping.chinaz.com, http://ping.aizhan.com, http://ce.cloud.360.cn) to ping the target from various regions and comparing the returned IPs.

Employing dedicated CDN‑detection websites such as http://www.cdnplanet.com/tools/cdnfinder/ or IP‑location services like http://www.ipip.net/ip.html.

Bypassing CDN to Find the Real IP

Several practical techniques can be combined to uncover the origin address:

Same‑country IP access : Query the site from an IP located in the same country as the target; the CDN may return the real server IP instead of the edge node.

Sub‑domain enumeration : Many sub‑domains are not covered by the CDN. Gather sub‑domains with tools like subfinder or amass, then resolve them to see if any reveal a non‑CDN IP.

PHP information leaks : Accessing phpinfo.php or other PHP probes can expose server configuration, including internal IPs.

DNS history lookup : Services such as https://dnsdb.io/zh‑cn/, https://x.threatbook.cn/, http://toolbar.netcraft.com/site_report?url=, and http://viewdns.info/ provide historical DNS records that may contain pre‑CDN IPs.

FOFA / Shodan search : Extract the page title or distinctive body strings, then query FOFA (e.g., title:"example") to locate other hosts that have indexed the same content, often revealing the true IP.

Email reverse lookup : Register an account on the target site, trigger a password‑reset email, and capture the mail‑server IP from the received message (temporary email services can be used to avoid exposing personal addresses).

Full‑network scanning : When other methods fail, run a large‑scale scan using scripts such as https://github.com/boy-hack/w8fuckcdn (full‑network scanner) or the E‑language version https://github.com/Tai7sy/fuckcdn to brute‑force potential IP ranges.

Useful Resources

http://www.cdnplanet.com/tools/cdnfinder/
http://www.ipip.net/ip.html
https://dnsdb.io/zh‑cn/
https://x.threatbook.cn/
http://toolbar.netcraft.com/site_report?url=
http://viewdns.info/
https://github.com/boy-hack/w8fuckcdn
https://github.com/Tai7sy/fuckcdn

Conclusion

In real‑world assessments most primary sites are protected by CDNs, making it crucial to apply the above detection and bypass techniques to retrieve the underlying server IP, which then enables deeper vulnerability analysis.