Identify the CDN, WAF, or bot-management vendor in front of a domain. Vendor-neutral, no API keys, no cloud account.
$ cdn-detect cloudflare.com github.com
domain: cloudflare.com
ip: 104.16.132.229
is_cdn: True
cdn_provider: Cloudflare
methods: ip_prefix, http_header
domain: github.com
ip: 140.82.121.4
asn: AS36459 (GITHUB)
is_cdn: False
methods:
Why publish this? Most "what CDN is this site on?" tools either guess from a single signal (headers only, or DNS only) and miss obvious cases, or wrap a paid intel feed. cdn-detect runs four independent detection strategies — CNAME chain, IP prefix, ASN lookup, response headers, plus cookie-based bot-management fingerprints — and tells you which one fired. No registrations, no rate limits, MIT-licensed.
pip install cdn-detectRequires Python 3.10+ and outbound DNS + HTTPS.
CLI:
cdn-detect example.com
cdn-detect example.com --json
cdn-detect example.com --no-http # DNS-only, no HTTP round-trip
cdn-detect a.com b.com c.com # multiple domainsLibrary:
from cdn_detect import detect
result = detect("example.com")
print(result.cdn_provider) # 'Cloudflare', 'Akamai', None, ...
print(result.detection_methods) # ['cname', 'http_header']
print(result.bot_management) # 'Cloudflare Bot Management', None, ...
print(result.as_dict()) # JSON-serialisable| Signal | What's matched | Example |
|---|---|---|
| CNAME chain | Vendor-owned hostnames in the resolution chain | evil.com → evil.com.cdn.cloudflare.net. |
| IP prefix | Hard-coded vendor IPv4 ranges | 104.16.0.0/12 → Cloudflare |
| ASN | Origin AS number via Team Cymru DNS | AS13335 → Cloudflare |
| ASN org | Vendor name in AS org string | AS54113 FASTLY → Fastly |
| HTTP headers | Vendor-specific response headers | cf-ray:, x-amz-cf-id:, x-akamai-* |
| Cookies | Vendor bot-management cookies | __cf_bm, _abck, incap_ses_* |
| Tunnels | Reverse-tunnel and zero-trust providers | cfargotunnel.com, *.ts.net, ngrok.io |
Currently knows about: Cloudflare, Akamai, Fastly, CloudFront, Imperva, Sucuri, Radware, StackPath, Edgio, Bunny CDN, KeyCDN, Reblaze, Azure Front Door / CDN, Google Cloud CDN, Vercel, Netlify, F5/Volterra, GitHub Pages — plus bot-management from Cloudflare, Akamai, Imperva, Radware, AWS WAF, PerimeterX/HUMAN, DataDome, Kasada — plus tunnels from Cloudflare, Tailscale, ngrok, Twingate, ZeroTier, Azure Dev Tunnels, and others.
A single signal misses a lot:
- Cloudflare proxied behind another reverse proxy: HTTP headers are stripped, but ASN still resolves to AS13335.
- Akamai customer with a custom hostname: CNAME chain has no
akamai.netreference, but the IP lands in23.32.0.0/11. - Customer behind Cloudflare Tunnel (
cfargotunnel.com): the resolved IP belongs to Cloudflare, but the protection model is fundamentally different —tunnel_providersurfaces this distinction. - Sites running an on-prem WAF that doesn't add response headers: cookies often still leak the vendor.
detection_methods lists every strategy that fired so you know how confident the verdict is.
- Doesn't enumerate every vendor IP range. The IP-prefix list is curated, not exhaustive — for production-grade matching, supplement with vendor-published feeds (Cloudflare
/ips-v4, AWSip-ranges.json, etc.). - Doesn't probe the origin behind the CDN. That's a separate problem (and a much more invasive one). For origin-discovery, see DDactic or commercial DAST tooling.
- Doesn't try to fingerprint custom on-prem appliances by deep behavior — only by easily observable signals.
The signature data lives in src/cdn_detect/signatures.py. PRs adding new providers or expanding IP ranges are very welcome, please include a one-line citation (vendor doc, public IP feed URL, or observable example) in the PR description.
MIT. See LICENSE.
DDactic — DDoS resilience testing and external attack-surface management.