So cloudIP still exists and is a great tool. It essentially puts pieces of a puzzle together and can map out where the domains are sitting. For example, is the ftp server sitting on the main server? Is the development server sitting on the main server ?? Things like that can be very important because you may be able to break into the site on a pentest using a subdomain that resides on the same physical server. It amazes me how so many people that I have tried to explain this too just goes completely over their heads. Most and if not all of your google search results on 'how to bypass cloudflare' will result in some sort of subdomain bruteforcing.
Then there were these pesky sites that just had their stuff together so perfectly. As time went on people started configuring subdomains as well as the main domain to go through cloudflare. Using cloudIP would still report its findings but wouldn’t give us any new information other than the discovery of subdomains. I wanted to try and solve this. How could I find the real location of where the server is sitting at ? Well peeps, after a long time of being interested in this topic, I think I have finally figured out a possible solution. I’ve been writing another program called 'cloudy' and it seems like its working beautifully. I can show where DNS records point which is 'cloudflare' and then have a process in which it finds the real location of the server. Some of this is theoretical still but the script works. I just need to further test my theories and eventually I will release it. I am pretty excited and everything else ive googled, nobody has released anything like this so im pumped!