CloudFlare is a freely available service that offers CDN and caching functionality. In order to use CloudFlare a domains DNS will be updated to send all traffic through CloudFlare, as a result it will hide the IP address of the actual web server where the website is hosted in order to provide various protections.
By doing this, CloudFlare essentially hides the real IP address of the web server that is hosting the website. There are many times that we may wish to be able to find the actual IP address of a server behind CloudFlare, such as during a penetration test you may want to bypass the web application firewall (WAF) completely by directly targeting the server itself.
The simple methods outlined here will show you how to find the real IP address of a website that is hidden behind CloudFlare. First we’ll cover the manual methods that can be used so that you understand what is going on before looking at automated options. Along the way we provide mitigations that can be used in order to protect yourself from these methods.