How to Detect and Bypass CDN to Reveal a Website’s Real IP

0x01 Introduction

During the information‑gathering phase of penetration testing, after identifying the target's main site, it is often necessary to obtain the site’s real IP address for deeper reconnaissance. Most modern websites deploy a Content Delivery Network (CDN) to distribute resources to edge servers, balance load, reduce congestion, and improve user access speed.

CDN (Content Delivery Network) is an intelligent virtual network built on top of the existing Internet infrastructure. By deploying edge servers worldwide and using load‑balancing, content distribution, and scheduling functions, CDNs let users fetch content from nearby locations, reducing congestion and improving response speed. The key technologies involve content storage and distribution.

While CDNs provide convenience for users, they also pose a challenge for security researchers because the IP address returned is often that of a virtual edge node, which yields little useful information. Therefore, bypassing the CDN to obtain the real IP is essential.

0x02 Determining CDN Presence

How can we tell if a website is behind a CDN?

1. CMD commands : Use nslookup. If the domain resolves to multiple IP addresses, it is likely using a CDN.

2. Online services : Query various online tools that perform multi‑region ping tests and compare the returned IPs. Consistent IPs across regions suggest no CDN; varied IPs indicate a CDN.

3. Online CDN detection tools (examples):

http://www.17ce.com
http://ping.chinaz.com
http://ping.aizhan.com
http://ce.cloud.360.cn

4. Additional online utilities for IP and DNS history, CDN checks, etc. (see the recommended URLs section).

0x02 Bypassing CDN to Find the Real IP

1. Access from the same country : If the target site is hosted in the US, accessing it from a US‑based IP may return the real server IP instead of the CDN edge IP.

2. Sub‑domain investigation : Some sub‑domains may not be covered by the CDN due to cost or oversight. Enumerate sub‑domains with tools, then probe them for real IPs.

3. PHP info probes : Files like phpinfo.php or other PHP probes left on the server can leak configuration details, including the real IP.

4. Google dorking : Use queries such as inurl:phpinfo.php or inurl:xxxxxx to locate exposed PHP info pages.

5. DNS record history : Examine historical DNS records to find IPs used before CDN deployment. Useful services include:

https://dnsdb.io/zh-cn/   # DNS query
https://x.threatbook.cn/   # Historical DNS records
https://toolbar.netcraft.com/site_report?url=
https://viewdns.info/
https://tools.ipip.net/cdn.php   # CDN‑related IP analysis
http://ipchaxun.com/

6. Search engines like FOFA : Extract the website’s title tag and search FOFA with title:"keyword" or body:"keyword" to locate indexed sites that may reveal the real IP.

7. Email reverse lookup : Use the “forgot password” feature or RSS subscription to trigger an email from the target’s mail server. Capture the email with a temporary mailbox and extract the originating IP address.

8. Full‑network scanning : When other methods fail, employ scanning scripts to enumerate the target’s IP space. Example scripts:

https://github.com/boy-hack/w8fuckcdn   # Full‑network scan script
https://github.com/Tai7sy/fuckcdn   # E‑language version

Recommended URLs

http://www.cdnplanet.com/tools/cdnfinder/

http://www.ipip.net/ip.html

Conclusion

In practice, most main sites encountered during testing are protected by CDNs, making the discovery of the server’s real IP a critical step for further exploitation.