Origin IP Finder — Discover Server IP Behind CDN

Firewall allow lists, WAF bypass assessments, and direct-origin DDoS tests require knowing addresses outside CDN anycast pools. Security researchers document whether origin IPs leak through historical DNS when operators forgot to remove old A records after enabling proxy orange-cloud modes.

Legitimate owners audit their own exposure — origin should accept traffic only from CDN IP ranges, not the entire internet. This tool highlights candidate addresses warranting manual verification in CDN dashboards and DNS consoles.

Before interpreting origin candidates, we detect whether CDN headers indicate Cloudflare, Amazon CloudFront, Fastly, Akamai, BunnyCDN, or similar edge layers. cdnDetected true with zero candidates means masking may be effective — or passive DNS simply lacks history.

cdnSignals object exposes individual header matches for manual verification when automated provider name assignment is uncertain.

Passive DNS archives past IP assignments when crawlers observed DNS changes. originCandidates filters historical IPv4 addresses not present in today's A record set — the heuristic assumes CDN adoption replaced direct A records pointing at origin.

Migrating between hosts without CDN also changes A records — old IPs appear as candidates but may be decommissioned servers. Cross-check with ip-history-lookup and live port scans only on authorized targets.

Zero candidates with CDN detected suggests either clean masking or empty passive DNS coverage. Zero candidates without CDN may mean the site always used CDN or history APIs returned no rows. Multiple candidates require prioritization — newest historical dates and hosting org metadata help rank likelihood.

Summary text states count explicitly so ticket templates stay consistent across analysts.

Cloudflare proxied domains resolve to Cloudflare anycast ranges on current A records while origin sits elsewhere. Historical IPs predating Cloudflare enrollment often reveal pre-proxy hosting addresses — still verify those servers respond before assuming active origin.

DNS-only grey-cloud subdomains sometimes leak origin in sibling records — compare full DNS zone exports outside this tool when authorized.

Test only domains you own or have written permission to assess. Using discovered origins to attack systems without authorization violates computer crime laws globally. Penetration testers should stay within scope documents listing domain names explicitly.

Our note reminds users that heuristic discovery is not exploitation — confirm with DNS provider audit trails.

Standalone CDN detector accepts any URL for header-only checks. IP to hosting provider identifies org on candidate IPs. Dedicated server detector assesses whether candidates sit on shared or isolated infrastructure before allowlisting.

Shodan quick view adds port exposure context on confirmed origin IPs during authorized assessments.

Once origin is confirmed, restrict inbound 443 and 80 to CDN published IP ranges per vendor documentation. Block direct origin access to prevent SSL bypass and cache poisoning paths that ignore CDN WAF rules.

Re-run origin finder after infrastructure migrations — candidates change when DNS updates propagate.

Free passive DNS snapshots miss recent changes and obscure low-traffic domains. Historical dates may be absent — ip entries still useful but temporal ranking harder. Commercial passive DNS feeds exceed our API coverage for enterprise investigations.

AAAA history is out of scope — IPv4 candidates only in current implementation.

Extended API action origin-ip-finder accepts url or domain parameter. Parse originCandidates array, cdnDetected, cdnProvider, and currentIps in automation — never auto-firewall without human approval.

Log historicalIps raw entries for audit replay when candidates later prove false positives.