×
Home » Tutorials » The Real IP Behind CDN: Exposure Vectors, Detection Methods, and Origin Protection Guide

The Real IP Behind CDN: Exposure Vectors, Detection Methods, and Origin Protection Guide

📅 2026-01-22 👁️ 298 Views

More websites use CDNs for speed and DDoS protection. But if the origin's real IP is exposed, attackers can bypass the CDN entirely.

CDN origin exposure paths and protection diagram
Illustration: CDN origin exposure paths and protection diagram

How CDNs Work

User Request
DNS → CDN
CDN Edge Node
Origin Pull
Response

7 Ways Real IPs Get Exposed

#VectorHowRisk
1DNS HistoryPre-CDN A records cached by SecurityTrailsHigh
2Subdomainsmail/ftp resolve directly to originHigh
3Certificate TransparencyCensys shows which IPs serve your certMed
4Email headersReceived headers reveal origin IPMed
5SSRFCallbacks make server connect to attackerMed
6IPv6 not behind CDNAAAA records point to originHigh
7Direct IP accessDefault page matched by ShodanMed

Detection Methods

Method 1: DNS History

# SecurityTrails API - query historical DNS records
curl "https://api.securitytrails.com/v1/history/example.com/dns/a" \
  -H "apikey: YOUR_API_KEY"

# Example output:
# 2024-01-15: 203.0.113.42  <-- Real IP before CDN setup
# 2024-03-01: 104.18.32.5   <-- CDN node IP (Cloudflare)

Method 2: Subdomain Enumeration

# Enumerate subdomains with subfinder
subfinder -d example.com -silent | while read sub; do
  ip=$(dig +short "$sub" A | head -1)
  echo "$sub -> $ip"
done

# Common finds:
# mail.example.com -> 203.0.113.42   ⭐ Origin IP!
# ftp.example.com  -> 203.0.113.42   ⭐ Origin IP!
# www.example.com  -> 104.18.32.5    CDN node

Method 3: Certificate Reverse Lookup

# Search Censys for IPs serving a specific domain's certificate
# Query: services.tls.certificates.leaf.names: example.com
# Results may reveal non-CDN IPs serving that certificate
⚠️ Warning: Do not actively probe or attack sites you don't own. These methods are for self-security audits only. Unauthorized probing may violate applicable laws.

🛡️ Origin IP Protection Checklist:

  1. Migrate origin IP after CDN setup
  2. Route ALL subdomains through CDN
  3. Use third-party email services
  4. Firewall whitelist: CDN IPs only on 80/443
  5. Return 444 on direct IP access
  6. IPv6 behind CDN too

CDN Provider Comparison

FeatureCloudflareCloudFrontAkamaiFastly
Origin hiding
DDoS✅ Free✅ Shield
WAF
Free plan

Self-Audit Checklist

  1. Search SecurityTrails for historical DNS
  2. Enumerate subdomains with subfinder
  3. Search Censys for certificate matches
  4. Use ipinfo.im CDN Real IP Detection tool
  5. Check outbound email Received headers