Millions of websites use Cloudflare as a reverse proxy. When you visit a Cloudflare-protected site, you connect to Cloudflare's servers — not the origin server. This hides the real server IP from attackers and the public. But the real IP sometimes leaks through various channels.
How Cloudflare Protection Works
Cloudflare sits between visitors and the origin server. All traffic goes through Cloudflare's network, which provides DDoS protection, CDN caching, and IP masking. The DNS records for the domain point to Cloudflare's anycast IPs, not the real server.
Why the Real IP Sometimes Leaks
- Historical DNS records — If the domain was publicly accessible before enabling Cloudflare, the original IP may appear in historical DNS databases like SecurityTrails or Shodan.
- Subdomain exposure — Subdomains like mail.domain.com or ftp.domain.com often bypass Cloudflare and expose the real IP directly.
- SSL certificate records — Certificate Transparency logs contain all issued certificates. Old certificates issued before Cloudflare may reveal the origin IP.
- Email headers — Email sent from the site's server contains the real IP in its headers (SPF records, Received headers).
- Misconfigured origin — If the origin server allows connections from any IP (not just Cloudflare's ranges), a direct IP scan may find it.
How to Look Up the Real IP
Use Anonymiz Cloudflare Resolver — enter any domain to attempt to resolve the real origin IP using multiple detection methods. Free, no account needed.
How to Properly Secure Your Origin
If you use Cloudflare, configure your origin server to only accept connections from Cloudflare's IP ranges. Block all other inbound connections on ports 80 and 443. This prevents direct attacks even if your origin IP is discovered.
