Welcome to my tech lab

Security researchers and bug bounty hunters often need to discover all domains under a target’s Cloudflare account. Traditional methods — like searching certificates on crt.sh or doing reverse WHOIS on registrant data — can miss domains due to missing SAN entries or privacy protection. In this quick guide, we’ll show how to leverage the unique entropy in Cloudflare nameserver pairs and a reverse WHOIS API to enumerate related domains. Prerequisites A Linux/macOS terminal (or WSL on Windows) dig installed (part of dnsutils or bind-tools) A reverse WHOIS service (we’ll use WhoisXMLAPI as an example) 1. Identify the Cloudflare nameservers Every Cloudflare account is assigned a pair of nameservers (e.g., gabe.ns.cloudflare.com and sima.ns.cloudflare.com). This combination is unlikely to collide across different accounts. ...