In this section of the wiki, we discuss:

• What a CDN is.
• How our tool detects a CDN a domain uses.

A Content Distribution Network (CDN), sometimes also called a Content Delivery Network, is a set of servers over different geographical areas that provide desired content in a fast manner. The "fast-ness" comes from many servers with the ability to cache and deliver content for the requesting client as the server may be closer to the client than the actual requested resource.

When requesting a specific resource or domain on a CDN, you will always contact the CDN endpoint before accessing the desired resource. Due to this, we can use a few techniques to fingerprint the domain for the CDN it uses accurately.

A Canonical Name Record (CNAME RECORD) is a type of record in Domain Name Servers (DNS servers) that creates an alias from one domain to another. By observing a CNAME record, we can see the domain name linked to a CDN, before directing to the desired resource. An easy way to demonstrate this is with the host command in the Unix operating system:

host -t cname domain.com

This will return any CNAME records which exist with that domain. For example, a Cloudflare domain⁠—domain.com⁠—has the following CNAME:

www.domain.com is an alias for www.domain.com.cdn.cloudflare.net.

From this found record, we can then sub-string search using our list of CDN URIs. This one would be .cloudflare.net.

WHOIS uses the Internet Assigned Numbers Authority (IANA) database to report information about a given IP address and domain. When using WHOIS to find the CDN, we run it on the IP address that a given resource or domain is using. If the resource is using a CDN, the IP address will be to one of the many endpoints a CDN would have. Therefore, if we run a WHOIS lookup on an IP address and the endpoint returned is one of the endpoints a CDN provider uses, we can deduce which CDN is being used. Furthermore, we can analyze different headers within the response and fingerprint the type of CDN. For example, the following command can be used to find Cloudflare domains:

$ whois 104.16.50.14 | grep "cloudflare\|CLOUDFLARE"
NetName:        CLOUDFLARENET
Comment:        All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse
OrgNOCEmail:  [email protected]
OrgTechEmail:  [email protected]
OrgAbuseEmail:  [email protected]
RAbuseEmail:  [email protected]
RNOCEmail:  [email protected]
RTechEmail:  [email protected]

Another method is to directly request the resource or data from the URI/URL and analyze the headers of the response; this can reveal any intermediate caching or servers used in tandem with the content received. Headers we use in the tool are:

• server
• via

These will show us any server data or extraneous data which the server responds with, allowing us to sub-string search for any of the CDN URIs.