How to identify real IP address of server to bypass Sucuri, Cloudflare or other WAF

Several websites are using Web Application Firewalls (WAF) solutions like Sucuri, Cloudflare, Incapsula in order to protect their websites from hackers, however not all of these website owners have perfectly implemented the WAF solution.

At the time of implementing WAF, website owner changes DNS A record of the website to WAF IP so that all traffic (that hits domain name) is directly sent to WAF and filtered before reaching actual website. But they fail to protect traffic from hackers coming via actual server IP address.

Before I proceed with options to trace real IP address of websites protected by WAF, here is a nice security article that explains how to securely deploy WAF for your website or server.

best deployment of WAF

Download and Install ‘Bypass Firewalls by DNS History’ from github

This tool retrieves you the real IP address of server behind WAF. Refer to github repository for bypass firewalls by DNS history

Scan for real IP address of server

The script retrieves DNS ‘A’ record history for a specific domain and checks if the server replies for that domain. The beauty here is the tool provides you with the confidence level of each identified IP address. The confidence level is basically comparing the similarity of response received from IP addresses and WAF.

# bash -d <domain_name>

Scan for real IP address of subdomains

# bash -d <domain_name> -a

Save results in a text file

There are few more options available. to save the results (IP address) in a text file, results.txt.

# bash -d <domain_name> -a -o results.txt

Scan our own list of subdomains

So in addition to the subdomains detected by the tool, you can also specify your own list of additional subdomains.

# bash -d <domain_name> -a -o results.txt -l subdomainlist.txt

Apart from this tool, there are online websites that do similar job –, , and

You may also like...