Uncovering bad guys hiding behind CloudFlare
by Daniel Brandt
PIR founder and president

CloudFlare-Watch, a project of Public Information Research, follows in the footsteps of other PIR projects. NameBase has been on the Internet since 1995. Google-Watch began in 2002 when no one else was criticizing Google. Scroogle started in 2005 and lasted until Google began throttling our servers in 2012.

At PIR we believe in privacy for passive users of the web (this is what Scroogle provided). But publishers on the web, as opposed to passive users who merely read pages, should be accountable. All CloudFlare customers are publishers, and many use CloudFlare because it encourages them to hide their original IP address. When they receive abuse complaints, CloudFlare resorts to diversions to pretend that they are acting responsibly — assuming that they respond at all. A refusal to embrace web accountability leads to cybercrime. That's why we use the term "CrimeFlare" to describe this company.

There are sites on the web that specialize in collecting registration and nameserver data. Several are serious research sites, while the rest are sites claiming that various domain names are worth big bucks in potential ad revenue, based on their traffic. CloudFlare maintains around 391 nameservers, and customers must change the nameservers on their registration in order to use most services. Each customer's domain is assigned two nameservers. This makes it easier to verify which domains depend on CloudFlare, and helps us keep our domain lists relatively current.

Since customers can fiddle with their nameserver records on CloudFlare's control panel, there is a huge amount of churn happening behind any research about domains that use CloudFlare. If connectivity seems intermittent, for example, a customer might set his control panel to bypass CloudFlare temporarily. CloudFlare does not handle email, and some customers need a special MX record for email. Subdomains are another source of confusion, as these records must be listed a certain way to keep them hidden. If the customer isn't careful, a "direct-connect" IP address might be publicly visible, and persist until the customer takes steps to keep it hidden.

Some domains ( 1,008,406 ) that recently used CloudFlare

If the direct-connect lookup failed, the domain is not shown with an IP address and country, but is simply shown with two nameservers. For example, a domain that shows "rita jeff" after it means that it was assigned nameservers rita.ns.cloudflare.com and jeff.ns.cloudflare.com. The current direct-connect count is 722,305. Our data is cumulatively updated every two weeks. Here is a 7.01MB zip file of only the domains with IP addresses, without the country lookup, that you can download and unzip. By scanning this file for specific IP addresses or netblocks, experienced researchers sometimes discover clues about who is hiding behind CloudFlare.

IP addresses may be current, or they may have been current as long ago as August 2012. Enter a domain in the search box below to see the date stamps of our IP address lookups. If the direct-connect fetch done by the search below is unsuccessful or inconclusive, this means that further research is needed to discover whether an IP address is still valid.

A second 5.97MB zip file lists all domains in our database, sorted by paired nameservers. Researchers use this to find additional domains on a single CloudFlare account, thereby developing more clues. A specific pair of nameservers yields a maximum of a few hundred domains from this list, making it possible to scan manually.

   000-514       515-acz       ada-all       alm-anz       aoa-aua       aub-baz       bba-bil       bim-boz       bpa-caa       cab-cdz       cea-cho       chp-cnz       coa-cot       cou-cyz       cza-dem       den-djz       dka-dyl       dym-emz       ena-exa       exb-fhz       fia-for       fos-fyz       fza-gih       gii-grz       gsa-hau       hav-hnz       hoa-hun       huo-imz       ina-isa       isb-jez       jfa-kar       kas-krz       ksa-led       lee-lnz       loa-maf       mag-mbz       mca-mim       min-moz       mpa-nam       nan-niz       nja-okv       okw-oyz       oza-per       pes-pnz       poa-pro       prp-raz       rba-rhe       rhf-rxz       rya-see       sef-shz       sia-sob       soc-ssz       sta-suo       sup-tdz       tea-thd       the-thz       tia-tra       trb-ukz       ula-vic       vid-waz       wba-wik       wil-wxz       wya-yka       ykb-zzz   

If you find a listing that interests you, or if you know of a domain that uses CloudFlare but is not listed, enter that domain in the search box. Several lookups will be done to see if a direct-connect IP address can be found. If so, a final test will try to fetch a page from that address. If that works, it will show the title from that page.

Enter a domain:            

It costs $22 USD a day to keep CloudFlare Watch online with updated domain listings. Since January 1, 2014 we have received $4604 in donations, while our budget requires $7788 for the same period. Donations are tax-deductible.    ( This box is updated daily. )


home page