Investigator Use
CloudFail is an open-source Python tool available on GitHub that attempts to identify the real IP addresses of websites hidden behind Cloudflare's CDN and DDoS protection service. By querying DNS history databases, certificate transparency logs, and other passive sources, CloudFail can surface the origin server IP that a website operator intended to conceal.
For OSINT investigators, CloudFail addresses a specific intelligence gap: when a target website uses Cloudflare or similar CDN providers, the IP address returned by DNS lookup is the CDN's infrastructure, not the origin server. The origin server IP is where the actual hosting occurs and is the critical data point for legal process, hosting provider identification, and infrastructure analysis.
CloudFail's approach combines multiple bypass techniques: historical DNS records that predate Cloudflare activation (when the domain previously resolved directly to the origin), certificate transparency logs that may contain the origin server's certificate, and direct subdomains that the operator forgot to route through Cloudflare (development servers, mail servers, staging environments often resolve directly).
Subdomain enumeration is one of CloudFail's most reliable techniques — operators frequently configure Cloudflare for their main domain while leaving subdomains (dev.company.com, mail.company.com, staging.company.com) pointing directly at the origin IP. These unprotected subdomains expose the origin server.
For law enforcement investigations and authorized penetration testing, identifying the true hosting IP allows investigators to determine the appropriate hosting provider to contact for records, identify the data center and jurisdiction where the server operates, and understand the full infrastructure behind a target web presence.
Limitations: Cloudflare IP bypassing is not guaranteed — organizations that have always used Cloudflare and consistently routed all subdomains through it will not have exposed origin IPs in historical records. CloudFail is a reconnaissance tool and results should be validated before use.
Document authorization scope, tool version, target domain, techniques attempted, and any origin IPs discovered.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
APNIC
IP Address OSINT
A global, open, stable, and secure Internet that serves the entire Asia Pacific community
Abuse IP DB
IP Address OSINT
AbuseIPDB provides IP reputation data and community abuse reports for identifying malicious hosts in network and threat investigations.
Censys Search
IP Address OSINT
Internet-wide search interface for hosts and certificates with large-scale host, service, and virtual host coverage plus API access.
Criminal IP
IP Address OSINT
Criminal IP delivers AI-powered IP threat intelligence, attack surface data, and fraud detection for cyber threat investigations.
DNS dumpster
IP Address OSINT
Free domain research tool to discover hosts related to a domain. Find visible hosts from the attackers perspective for Red and Blue Teams.
Domain/IP lookup
IP Address OSINT
InfoByIP provides bulk IP and domain lookups returning geolocation, ASN, hostname, and WHOIS data for multiple targets simultaneously.