if you have shell access to a *nix box just do a whois on the domain, then do a dig on all relevant domain names, ip's etc, then you can traceroute and keep working out what's what.
eg: dig intporn.com
will give you
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> intporn.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 930
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;intporn.com. IN A
;; ANSWER SECTION:
intporn.com. 30 IN A 85.17.174.200
intporn.com. 30 IN A 85.17.174.246
;; AUTHORITY SECTION:
intporn.com. 151791 IN NS ken.ns.cloudflare.com.
intporn.com. 151791 IN NS dawn.ns.cloudflare.com.
then
whois 85.17.174.246
gives you
inetnum: 85.17.174.0 - 85.17.174.255
netname: LEASEWEB
descr: LeaseWeb
descr: P.O. Box 93054
descr: 1090BB AMSTERDAM
descr: Netherlands
descr:
www.leaseweb.com
remarks: Please send email to "
[email protected]" for complaints
remarks: regarding portscans, DoS attacks and spam.
remarks: INFRA-AW
country: NL
admin-c: LSW1-RIPE
tech-c: LSW1-RIPE
status: ASSIGNED PA
mnt-by: OCOM-MNT
source: RIPE # Filtered
person: RIP Mean
address: P.O. Box 93054
address: 1090BB AMSTERDAM
address: Netherlands
phone: +31 20 3162880
fax-no: +31 20 3162890
abuse-mailbox:
[email protected]
nic-hdl: LSW1-RIPE
mnt-by: OCOM-MNT
source: RIPE # Filtered
% Information related to '85.17.0.0/16AS16265'
route: 85.17.0.0/16
descr: LEASEWEB
origin: AS16265
remarks: LeaseWeb
mnt-by: OCOM-MNT
source: RIPE # Filtered
looking at the TTL on the A records and the long TTL on the NS records they could be doing some kind of redirect to cloudflare from leaseweb, I'm not sure if Cloudflare is associated with Leaseweb. All looks a bit odd to me.