How to Find the Hosting Provider of Any Website (5 Simple Methods for 2026)

Why Find a Website's Hosting Provider?

The ability to identify a website's infrastructure has legitimate use across multiple disciplines:

Competitive intelligence: Knowing a competitor is on Hetzner (low cost) vs. AWS (high cost) reveals their infrastructure maturity and budget allocation.
Security research: Determining if a suspicious domain is hosted on a bulletproof or offshore provider is a critical step in threat intelligence investigations.
Infrastructure audits: During M&A or website acquisition due diligence, confirming the actual hosting arrangement prevents surprises post-acquisition.
Sales prospecting: Managed hosting providers and cloud migration specialists use hosting detection to identify prospects on target platforms.
Performance analysis: Correlating page speed data with hosting providers across a market segment identifies which infrastructure choices deliver the best results.

Method 1: Automated Technology Scanner (Fastest)

The fastest and most accessible method for most users is to scan the website with a dedicated technology detection tool.

WebReveal performs a live scan of any URL and returns the hosting provider, CDN, frontend framework, CMS, analytics tools, and full tech stack in a single pass. The scanner analyses HTTP response headers, IP geolocation, DNS data, and page content signals simultaneously—a process that would take 10–15 minutes manually.

Simply navigate to webreveal.io, enter the target URL, and the hosting provider (if detectable) will appear in the Infrastructure section of the results.

The WebReveal Chrome Extension makes this even more seamless—a toolbar popup shows hosting information passively as you browse any website.

When this fails: If the site uses an aggressive Cloudflare configuration with full proxy mode, WebReveal may identify Cloudflare as the CDN but cannot determine the origin host. Proceed to Methods 3, 4, or 5.

Method 2: DNS A Record + IP WHOIS Lookup

DNS A records map a domain to an IPv4 address. Once you have the IP, an IP WHOIS query identifies the organisation that owns it—usually the hosting or cloud provider.

Step 1: Get the IP address

Using the command line:

# macOS / Linux
nslookup example.com
# or
dig +short example.com A

# Windows
nslookup example.com

Alternatively, use a web-based DNS tool such as MXToolbox (mxtoolbox.com/DNSLookup.aspx) or Google's Dig tool (toolbox.googleapps.com/apps/dig/).

Step 2: Look up the IP

With the IP address in hand, query a WHOIS service:

# Command line (macOS/Linux)
whois 104.21.45.67

# Or use ipinfo.io in a browser
https://ipinfo.io/104.21.45.67

The org or OrgName field in the WHOIS response names the organisation that owns the IP block. For cloud providers, this will be "Amazon Technologies Inc." (AWS), "Google LLC" (GCP), "Microsoft Corporation" (Azure), "Hetzner Online GmbH," "DigitalOcean LLC," and so on.

Example: Querying ipinfo.io/34.102.136.180 returns "org": "AS15169 Google LLC", confirming Google Cloud hosting. Querying a Cloudflare-proxied site returns "org": "AS13335 Cloudflare, Inc."—you see the CDN, not the origin.

Method 3: HTTP Response Headers

HTTP response headers are sent by the web server on every request and frequently contain explicit hosting and infrastructure signals. This method works even when the site uses a CDN, because platform-specific headers often pass through.

Using browser developer tools

Open the website in Chrome or Firefox.
Press F12 to open Developer Tools.
Click the Network tab.
Reload the page (Ctrl+R / Cmd+R).
Click the first document request (the HTML page).
Select the Headers sub-tab and examine Response Headers.

Using curl

curl -I https://example.com

This outputs just the response headers without downloading the full page body.

Key headers and their meanings

Header	Value Pattern	Indicates
`Server`	`Netlify`	Netlify hosting
`Server`	`cloudflare`	Cloudflare CDN / Pages
`X-Vercel-Id`	Any value	Vercel hosting
`X-Powered-By`	`WP Engine`	WP Engine managed WordPress
`X-Kinsta-Cache`	Any value	Kinsta managed WordPress
`X-Amz-Cf-Id`	Any value	Amazon CloudFront CDN
`X-Amz-Request-Id`	Any value	Amazon S3 / AWS
`CF-Ray`	Any value	Cloudflare (always present)
`X-Shopify-Stage`	Any value	Shopify platform
`X-GitHub-Request-Id`	Any value	GitHub Pages
`fly-request-id`	Any value	Fly.io hosting
`render-request-id`	Any value	Render.com hosting

Method 4: BGP/ASN Lookup (Most Authoritative)

The Border Gateway Protocol (BGP) is the routing protocol of the internet. Every IP block (prefix) is assigned to an Autonomous System (AS), identified by an ASN. Querying BGP data gives you the most authoritative mapping between an IP address and its owning organisation.

This method is almost never mentioned in basic hosting-lookup guides, yet it is the most technically precise and works on IP ranges that WHOIS sometimes mislabels.

Tool: Hurricane Electric BGP Toolkit

Navigate to bgp.he.net and enter the IP address. The result shows:

ASN — e.g., AS14061 (DigitalOcean), AS16509 (Amazon AWS), AS15169 (Google), AS24940 (Hetzner)
Network name — the registered name of the IP block owner
Country — the registered country of the IP block
Prefix — the specific IP range this address belongs to

Command-line BGP lookup

# Using whois with the Cymru Team Whois service
whois -h whois.cymru.com " -v 104.21.45.67"

# Example output:
# AS    | IP               | BGP Prefix      | CC | Registry | Allocated  | AS Name
# 13335 | 104.21.45.67     | 104.21.0.0/16   | US | ARIN     | 2010-07-09 | CLOUDFLARENET - Cloudflare, Inc.

The Team Cymru whois service (whois.cymru.com) is a free, reliable BGP lookup service that provides AS name alongside the ASN—giving you the provider name directly.

Method 5: Reverse DNS (PTR Records)

A PTR record (pointer record) maps an IP address back to a hostname—the reverse of an A record. Many hosting providers set PTR records that directly name themselves in the hostname format.

Looking up PTR records

# Replace with the actual IP address
dig -x 34.102.136.180 +short
# Example output: 180.136.102.34.bc.googleusercontent.com

# Or using nslookup
nslookup 34.102.136.180

Reading PTR hostnames

PTR record hostnames often directly name the provider:

*.bc.googleusercontent.com → Google Cloud
*.compute.amazonaws.com or ec2-*.compute-1.amazonaws.com → Amazon AWS EC2
*.cloudapp.net → Microsoft Azure
*.digitalocean.com or *.static.digitaloceanspaces.com → DigitalOcean
*.your-server.de or *.hetzner.com → Hetzner
*.linode.com → Linode (Akamai Cloud)
*.vultr.com → Vultr
*.ovh.net or *.ovh.co.uk → OVH

The CDN Masking Problem (And How to Work Around It)

The most common obstacle to hosting identification is CDN reverse proxying. When a website routes all traffic through Cloudflare, Fastly, Akamai, or AWS CloudFront, every DNS lookup returns the CDN's IP address—not the origin server's.

However, the origin host is rarely completely hidden. These techniques often succeed:

HTTP Server header inspection: Even behind Cloudflare, the Server header sometimes reveals the origin web server (e.g., nginx/1.25.3, Apache/2.4.57, or platform-specific values like WP Engine).
Historical DNS data: Services like SecurityTrails (securitytrails.com) maintain historical DNS records. If a domain used a direct A record before enabling Cloudflare, the origin IP may still be visible in historical records.
Certificate transparency logs: crt.sh shows SSL certificate history. Certificates issued before Cloudflare was enabled may reveal origin hostnames.
Subdomain enumeration: Some subdomains (e.g., mail.example.com, ftp.example.com, staging.example.com) may not be proxied through Cloudflare and resolve directly to the origin IP.
SPF records: The SPF (Sender Policy Framework) DNS record for email sending often reveals the origin server IP range even when the web server is CDN-proxied.

Identifying Providers from Published IP Ranges

The major cloud providers publish their IP ranges as machine-readable JSON files, updated in near-real time. This is the most reliable programmatic method for large-scale host identification:

AWS: https://ip-ranges.amazonaws.com/ip-ranges.json — contains all AWS IP prefixes by region and service
Google Cloud: https://www.gstatic.com/ipranges/cloud.json — all GCP IP ranges
Microsoft Azure: Download links published monthly at microsoft.com/download/details.aspx?id=56519
Cloudflare: https://api.cloudflare.com/client/v4/ips — all Cloudflare IP ranges
Fastly: https://api.fastly.com/public-ip-list

By downloading these files and checking whether a target IP falls within a published range, you can programmatically identify the provider with certainty—no WHOIS query required. This is how enterprise security tools and OSINT platforms automate host identification at scale.

Here is a simple Python snippet to check if an IP belongs to AWS:

import ipaddress, json, urllib.request

url = 'https://ip-ranges.amazonaws.com/ip-ranges.json'
data = json.loads(urllib.request.urlopen(url).read())

target_ip = ipaddress.ip_address('52.204.0.10')

for prefix in data['prefixes']:
    if target_ip in ipaddress.ip_network(prefix['ip_prefix']):
        print(f"AWS — Region: {prefix['region']}, Service: {prefix['service']}")
        break

Cheat Sheet: Common Provider Signals

Provider	ASN	PTR Pattern	HTTP Header	IP Range URL
AWS	AS16509	`*.compute.amazonaws.com`	`X-Amz-*`	ip-ranges.amazonaws.com
Google Cloud	AS15169	`*.googleusercontent.com`	—	gstatic.com/ipranges/cloud.json
Azure	AS8075	`*.cloudapp.net`	—	microsoft.com download page
Cloudflare	AS13335	—	`CF-Ray`	api.cloudflare.com/v4/ips
Vercel	AS394353	`*.vercel-dns.com`	`X-Vercel-Id`	—
Netlify	AS394161	—	`Server: Netlify`	—
DigitalOcean	AS14061	`*.digitalocean.com`	—	—
Hetzner	AS24940	`*.your-server.de`	—	—
Fastly	AS54113	—	`X-Fastly-*`	api.fastly.com/public-ip-list
GitHub Pages	AS36459	—	`X-GitHub-Request-Id`	api.github.com/meta

Frequently Asked Questions

How do I find the hosting provider of a website for free?

Use WebReveal for the fastest free result. For manual verification, run nslookup example.com to get the IP address, then visit ipinfo.io/[IP] to identify the hosting provider. Both are completely free.

Can I find a website's host if it uses Cloudflare?

If a website uses Cloudflare in full proxy mode, DNS lookups return Cloudflare IPs, masking the origin. Check HTTP response headers (Method 3) for platform-specific headers that pass through Cloudflare, or check historical DNS records on SecurityTrails for the origin IP from before Cloudflare was enabled.

What does nslookup tell me about hosting?

nslookup returns the IP address of a domain. The IP alone does not name the hosting provider—you need a second step: an IP WHOIS or ASN lookup via ipinfo.io, bgp.he.net, or the Team Cymru whois service to identify the organisation that owns the IP block.

Which method is most accurate?

The BGP/ASN lookup via bgp.he.net or Team Cymru whois is the most technically authoritative method, as it queries the actual routing table of the internet. For practical use, WebReveal combines multiple signals and is the most convenient single-tool approach.

Can websites hide their hosting provider completely?

Not completely. Using a CDN hides the origin IP, but multiple other signals (PTR records, HTTP headers, historical DNS, subdomain leakage, SPF records) often still expose the underlying platform. A determined researcher using all five methods in this guide will identify the host in the vast majority of cases.