How to Determine If a Website Uses a CDN

0x01 Preface

During the reconnaissance phase of a penetration test, after identifying a target website, it is often necessary to obtain the website's real IP address for further information gathering. However, most mainstream sites deploy a CDN, which distributes resources to edge servers to balance load, reduce network congestion, and improve user access speed.

What Is a CDN

CDN stands for Content Delivery Network. A CDN is a virtual network built on top of existing infrastructure that relies on edge servers deployed in various locations and a central platform for load balancing, content distribution, and scheduling. It helps users retrieve nearby content, reduces network congestion, and improves response time and cache hit rate. Key CDN technologies include content storage and distribution.

Why Bypass a CDN

While CDN deployment brings convenience to users, it presents a challenge for security testers. If a site uses a CDN, the IP address you obtain is usually a distributed virtual node, and information collected from that node is often not useful. Therefore, it is necessary to bypass the CDN to find the website's real IP.

0x02 Detecting CDN Presence

How can we determine whether a website is using a CDN?

1. Use command-line tools

Use nslookup. If a domain resolves to multiple IP addresses, it is likely using a CDN.

2. Use online multi-region ping services

Use an online service to perform pings from multiple regions, then compare the IPs returned from each region. If the results are identical across regions, the site is unlikely to be behind a CDN. If IPs vary significantly or show no clear pattern, check the IP ownership or geolocation to determine whether a CDN is involved. For example, using a multi-region ping service to ping a large search engine often shows results consistent with CDN deployment.

0x03 Bypassing CDN to Find the Real IP

1. Access from same-country IPs

If a site is hosted in the United States, accessing it from a local IP may return the CDN edge IP. Using an IP located in the same country as the origin server can sometimes return the origin IP instead of the CDN IP.

2. Subdomain enumeration

The main site may be covered by CDN, but some secondary or subdomains might not be routed through the CDN due to cost or oversight. Collect subdomains with enumeration tools and check those subdomains for origin IP disclosure.

3. Look for phpinfo or PHP probes

During development, developers may forget to remove PHP probes such as phpinfo.php, which can leak information. Use search engine queries to find such pages, for example:

inurl:phpinfo.php inurl:xxxxxx

4. DNS and historical records

Check DNS records and historical bindings between IP addresses and the domain. Historical records may show the origin IP before CDN deployment.

5. Use indexing/search platforms

Use indexing engines to extract the site's title or body features and search for them. For example:

title = "xxxxxxx"

Search results can provide IPs that you can compare with DNS history. Tools such as Shodan, FOFA, and historical DNS services can help. For FOFA, use queries like title:"site title keywords" or body:"site body features" to find recorded IPs and domains, which often reveal the origin IP.

6. Email-based tracing

Many sites provide password recovery or subscription emails. For websites in China, registration plus a password recovery or email subscription can produce an email from the site's mail server. Use a disposable email address if you do not want to expose a personal address. The received email headers can reveal the mail server IP.

7. Internet-wide scanning

This approach is time-consuming but can be used when other methods fail. Use scanning scripts to search broadly for exposed services or IPs related to the target.