loading
loading
Recon
A utility to detect CDN, WAF, and cloud technology for a given IP address.
overview
cdncheck tells you whether an IP or hostname sits behind a CDN, a WAF, or a cloud provider. That label changes how you treat a target: a CDN edge is not the origin, a WAF shapes what scanners see, and a cloud IP may sit on shared infrastructure you should not probe blindly.
It matches addresses against maintained provider ranges and can name the service, from Cloudflare and Fastly to AWS and Azure. Match and filter flags keep or drop hosts by provider so you can split a list into edges to skip and direct origins worth scanning. JSONL output makes those decisions programmatic.
On Trickest, cdncheck is a Recon node that takes an IP, a DNS name, or a file of them and writes a file and a folder of results. Run it after resolution to tag your host list, then route only the non-CDN, non-WAF addresses into heavier scanning stages.
use cases
Classify a resolved host list so you know which addresses are edge nodes, which sit behind a WAF, and which are direct cloud or origin IPs.
Filter out CDN and WAF addresses so a port scanner or vulnerability scanner spends its time on origins rather than shared edge infrastructure.
Use the match flags to keep only hosts behind a named provider like Cloudflare or AWS when an assessment targets one platform.
Emit JSONL so downstream nodes branch on the CDN, WAF, and cloud labels automatically instead of relying on manual inspection.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| input | STRING | -input | IP or DNS name to process. |
| inputs | FILE | -input | File of IPs or DNS names to process. |
| cdn | BOOLEAN | -cdn | Display only CDN hits in CLI output. |
| waf | BOOLEAN | -waf | Display only WAF hits in CLI output. |
| jsonl | BOOLEAN | -jsonl | Write output in JSON lines format. |
| match-cdn | STRING | -match-cdn | Match hosts behind a named CDN (cloudfront, fastly, google, leaseweb, stackpath). |
| match-waf | STRING | -match-waf | Match hosts behind a named WAF (akamai, cloudflare, incapsula, sucuri). |
| filter-cdn | STRING | -filter-cdn | Filter out hosts behind a named CDN provider. |
Showing key inputs. cdncheck exposes 21 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| cdn | BOOLEAN | -cdn | display only cdn in cli output |
| waf | BOOLEAN | -waf | display only waf in cli output |
| resp | BOOLEAN | -resp | display technology name in cli output |
| cloud | BOOLEAN | -cloud | display only cloud in cli output |
| input | STRING | -input | ip / dns to process |
| jsonl | BOOLEAN | -jsonl | write output in json(line) format |
| retry | STRING | -retry | maximum number of retries for dns resolution (must be at least 1) (default 2) |
| inputs | FILE | -input | list of ip / dns to process |
| silent | BOOLEAN | -silent | only display results in output |
| exclude | BOOLEAN | -exclude | exclude detected ip from output |
| verbose | BOOLEAN | -verbose | display verbose output |
| no-color | BOOLEAN | -no-color | disable colors in cli output |
| resolver | STRING | -resolver | list of resolvers to use (comma separated) |
| match-cdn | STRING | -match-cdn | match host with specified cdn provider (cloudfront, fastly, google, leaseweb, stackpath) |
| match-waf | STRING | -match-waf | match host with specified waf provider (akamai, cloudflare, incapsula, sucuri) |
| resolvers | FILE | -resolver | list of resolvers to use |
| filter-cdn | STRING | -filter-cdn | filter host with specified cdn provider (cloudfront, fastly, google, leaseweb, stackpath) |
| filter-waf | STRING | -filter-waf | filter host with specified waf provider (akamai, cloudflare, incapsula, sucuri) |
| match-cloud | STRING | -match-cloud | match host with specified cloud provider (zscaler, aws, azure, google, office365, oracle) |
| filter-cloud | STRING | -filter-cloud | filter host with specified cloud provider (zscaler, aws, azure, google, office365, oracle) |
| disable-update-check | BOOLEAN | -disable-update-check | disable automatic cdncheck update check |
example
# tag IPs and keep Cloudflare WAF hits as JSONLcdncheck -input hosts.txt -waf -match-waf cloudflare -resp -jsonl -silent198.51.100.10 [waf] [cloudflare]198.51.100.22 [cdn] [cloudfront]203.0.113.40 [cloud] [aws]203.0.113.55 [waf] [akamai]198.51.100.90 [cdn] [fastly]203.0.113.100 [cloud] [azure]guidance
Use cdncheck after resolution to label hosts as CDN, WAF, or cloud and to prune edge nodes before heavy scanning. It classifies addresses, it does not find the origin behind them, so for that pair it with hakoriginfinder. Run it before naabu or nuclei to focus those tools on real origins.
Tries to find the origin behind a proxy. cdncheck identifies that a proxy or WAF is present in the first place.
Fingerprints the specific WAF on a web target. cdncheck classifies CDN, WAF, and cloud by IP range.
Maps an organization to its netblocks. cdncheck tells you which of those IPs are CDN or cloud edges.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A host list feeds cdncheck, which tags CDN and WAF edges and passes the remaining origins to naabu so only direct IPs are port scanned into a queryable output.
Facts on this page come from the live Trickest tool library.