Tool

Origin Finder

Reveal the real server hiding behind Cloudflare or a CDN. Uses only public data — certificate transparency logs, origin-leaking subdomains, and mail records — to trace a domain back to its true hosting server for security research and abuse reporting.

How it works

Why the origin hides — and how it leaks

When a site sits behind Cloudflare, every visitor sees a Cloudflare IP, not the real server. That protects legitimate sites — but scammers use it too, to hide where their phishing pages actually live. The real server is still out there; it just isn't named directly.

This tool checks the places the origin commonly leaks: certificate transparency logs (every SSL certificate ever issued is public), subdomains that admins forget to proxy (like direct, cpanel, or mail), and MX records, which usually point at the real mail host. Anything resolving outside Cloudflare's ranges is a candidate for the true origin. It then links you to the deeper certificate and historical-DNS searches the pros use.

Everything here is passive and public — no packets are sent to the target beyond a normal DNS lookup. If you find a malicious site, report it to the hosting provider, Cloudflare, and the impersonated brand. Don't try to access or attack the server yourself.