Why does the result say "likely" instead of "definitely"?

**Confidence reflects how many independent sources agreed**. "Definitely" needs an unambiguous signal: a `CF-Ray` header (only Cloudflare emits it), an `X-Amz-Cf-Id` (only CloudFront), an `X-Vercel-Id` (only Vercel). **"Likely"** means one strong source, e.g. an IP-range match against `104.16.0.0/12` or a Server: cloudflare header. **"Possibly"** is a weak hint, e.g. a Server: nginx line that could be anyone running nginx. The label is conservative on purpose, no false promises.

Can Cloudflare really hide the origin server?

**Yes, that is the whole point** of Cloudflare in proxy mode. When the DNS record is **orange-clouded**, your A record resolves to a Cloudflare IP (104.16.x.x or 172.64.x.x), not to your real server. Visitors talk to Cloudflare, Cloudflare talks to your origin over a backchannel. **We have no way to reveal the real origin** from a public detector, that would defeat the protection. Common leaks (subdomain DNS not proxied, old SPF records, mail server IPs) need dedicated OSINT, not this tool.

What is a WAF, and why is the confidence often "likely"?

A **WAF (web application firewall)** filters HTTP traffic before it reaches your app, blocking SQL injection, XSS, suspicious bot patterns. **Cloudflare WAF**, **AWS WAF**, **Imperva Incapsula**, **Sucuri**, **Akamai Kona** are the big names. Detection is rarely "definitely" because WAFs are usually **silent by default** , they only emit telltale headers (`X-Sucuri-Id`, `X-Iinfo`, `__cf_bm` cookie) when a rule fires or bot-management is active. A passive scan of the homepage may not provoke that, so we say "likely WAF behind Cloudflare" rather than "100% confirmed".

How does the detection actually work under the hood?

Four parallel checks against the target domain: (1) **DoH (DNS over HTTPS)** to Cloudflare 1.1.1.1, fetching A and NS records, (2) an **HTTPS GET** to the root path with a Chrome user-agent, reading the response headers (CF-Ray, X-Amz-Cf-Id, Server, Via, X-Cdn, X-Powered-By, set-cookie patterns), (3) a **CIDR match** of the A record against embedded ranges for the major CDNs, (4) a **TLS handshake** to read the certificate issuer (Cloudflare Inc ECC CA-3 → Cloudflare, Amazon → AWS). Signals are then merged: agreement bumps confidence, conflicts keep the stronger source.

Why does Google's site sometimes show up as "Cloudflare DNS"?

Because **DNS provider and hosting are independent**. You can run Cloudflare DNS for the convenience of the dashboard while hosting on Google, AWS, or anywhere else. Likewise, a domain with **Route 53 NS records** is using AWS for DNS but may very well sit behind a Vercel edge. The detector reports each layer separately. If you see "DNS: Cloudflare, Hosting: AWS, CDN: CloudFront" that's perfectly valid, not a contradiction.

Why does GitHub Pages show "GitHub Pages" as hosting and "Fastly" as CDN?

Because **that is the truth**. GitHub Pages serves your repo from GitHub's infrastructure but routes traffic through **Fastly** as the public-facing CDN. The Server header reads `GitHub.com`, the Via header reveals `varnish`, and the IP belongs to Fastly's range. Same with Shopify (Cloudflare on top of their own infra), Netlify (Netlify Edge), Vercel (Vercel Edge Network). **One layer is the origin, the other is the cache.**

Are there false positives I should know about?

**Yes, a few common ones**. (1) The Server header is **user-controlled** , a site can fake it to say "nginx" while running Apache, or strip it entirely. (2) **Let's Encrypt** as the TLS issuer tells you nothing about hosting (anyone can use it), so we never classify hosting purely from a Let's Encrypt cert. (3) IP-range tables get stale: a freshly-launched CDN POP may not be in our embedded list, leading to a "possibly" instead of "likely". (4) Sites that **redirect to a different domain** (e.g. `example.com` → `www.example.com`) are followed once, so the final detection reflects the destination, not the original entry.

Does this work for any TLD or only mainstream domains?

**Any TLD that resolves over public DNS** works: `.com`, `.dev`, `.io`, `.co.uk`, `.pl`, modern `.app`, `.cloud`. We block **internal-looking suffixes** (`.local`, `.internal`, `.lan`, `.intranet`, `.corp`, `.home`, `.localhost`) as SSRF protection , our server is not going to probe somebody's private network. Literal IPs are also rejected: use a domain.

Is the request logged?

**No.** The route runs in Node.js memory: it pulls DoH, fetches the home page, opens a TLS handshake, and returns the result. Rate limiting (30 requests per hour per IP) is an in-memory map that resets on every cold start. **Nothing is persisted to disk or a database.** Your queries are not associated with your account because there is no account.

Cloud Provider / CDN Detector - free

What this detector does

This tool tells you who is actually running a given website: the hosting (origin server), the CDN sitting in front of it, the DNS provider, and a likely WAF (web application firewall). You type a domain, our server combines four independent detection sources, and you get a single panel with a confidence label next to every result.

The sources we use: NS records via DNS over HTTPS, the HTTP response headers of the live site, the A-record IP matched against known CDN ranges (Cloudflare, CloudFront, Fastly, Vercel), and the TLS certificate issuer. When several sources agree, confidence jumps from "likely" to "definitely".

How to use it

Type a domain: just the hostname, no scheme, no path. `vercel.com` works, `https://vercel.com/pricing` is cleaned up automatically.
Click Detect. The server runs four checks in parallel with a 10-second budget.
Read the four cards: Hosting, CDN, DNS provider, WAF. Each one carries a confidence: definitely (multiple sources agree), likely (one strong signal), possibly (weak hint only).
Open the Raw signals block to see the A and NS records, Server header, Via header, and TLS issuer that fed the detection.
Open the Evidence list to see the exact tag that triggered each result, e.g. `CF-Ray: 7f...` or `104.16.x.x in 104.16.0.0/12 (Cloudflare)`.
Try the sample chips (vercel.com, github.com, cloudflare.com, shopify.com) to see how a clean Vercel deploy, a GitHub Pages site, a Cloudflare-fronted site and a Shopify-hosted store each show up differently.

When this is useful

Concrete scenarios where this detector earns its keep:

Competitive research before pitching infrastructure: see whether your prospect runs Cloudflare in front, CloudFront, or a bare origin you can sell a CDN to.
Vendor verification when an agency tells you "we host on AWS": the TLS issuer plus IP range will confirm or contradict the claim.
Incident response during an outage: is the origin down or just the CDN? Knowing the provider tells you which status page to open (status.cloudflare.com vs health.aws.amazon.com).
Migration planning: before moving DNS from Route 53 to Cloudflare you want a baseline of who the incumbent providers were across each subdomain.
Security audits: confirm the WAF the customer claims to have ("we use Cloudflare") is actually serving traffic on the public hostname, not bypassed by a leaked origin IP.
Pricing leverage: knowing a competitor runs on Vercel vs AWS vs a bare VPS helps you size the conversation around cost and scale.

Questions and answers

A CDN (content delivery network) is a global cache that sits between your visitors and your origin server. Examples: Cloudflare, AWS CloudFront, Fastly, Akamai, Vercel Edge Network. Detecting it matters because: (1) the public IP of the site is the CDN edge, not your real server, (2) TLS termination happens at the edge, so the certificate you see is the CDN's, (3) caching rules and WAF protections live at the CDN, not at your origin. Without a CDN check you have no idea where to debug a 503 or a slow first byte.

What this detector does

How to use it

Type a domain: just the hostname, no scheme, no path. `vercel.com` works, `https://vercel.com/pricing` is cleaned up automatically.

Click Detect. The server runs four checks in parallel with a 10-second budget.

Read the four cards: Hosting, CDN, DNS provider, WAF. Each one carries a confidence: definitely (multiple sources agree), likely (one strong signal), possibly (weak hint only).

Open the Raw signals block to see the A and NS records, Server header, Via header, and TLS issuer that fed the detection.

Open the Evidence list to see the exact tag that triggered each result, e.g. `CF-Ray: 7f...` or `104.16.x.x in 104.16.0.0/12 (Cloudflare)`.

Try the sample chips (vercel.com, github.com, cloudflare.com, shopify.com) to see how a clean Vercel deploy, a GitHub Pages site, a Cloudflare-fronted site and a Shopify-hosted store each show up differently.

When this is useful

Concrete scenarios where this detector earns its keep:

Competitive research before pitching infrastructure: see whether your prospect runs Cloudflare in front, CloudFront, or a bare origin you can sell a CDN to.
Vendor verification when an agency tells you "we host on AWS": the TLS issuer plus IP range will confirm or contradict the claim.
Incident response during an outage: is the origin down or just the CDN? Knowing the provider tells you which status page to open (status.cloudflare.com vs health.aws.amazon.com).
Migration planning: before moving DNS from Route 53 to Cloudflare you want a baseline of who the incumbent providers were across each subdomain.
Security audits: confirm the WAF the customer claims to have ("we use Cloudflare") is actually serving traffic on the public hostname, not bypassed by a leaked origin IP.
Pricing leverage: knowing a competitor runs on Vercel vs AWS vs a bare VPS helps you size the conversation around cost and scale.

Questions and answers

Cloud Provider / CDN Detector

What this detector does

How to use it

When this is useful

Questions and answers

Related tools

DNS Lookup

SSL Certificate Inspector

WHOIS Lookup

HTTP Headers Inspector

IP Info / ASN Lookup

Cloud Provider / CDN Detector

What this detector does

How to use it

When this is useful

Questions and answers

Related tools

DNS Lookup

SSL Certificate Inspector

WHOIS Lookup

HTTP Headers Inspector

IP Info / ASN Lookup