some domains using cloudflare as dns proxy will use this cname that reveal 
they real ip address:

direct-connect.domain.com
direct.domain.com

let me give u a sample

# host exploit-db.com
exploit-db.com has address 199.27.134.111
exploit-db.com has address 199.27.135.111

it's clear using cloudflare

what the real ip address??

here goes the answer

===========
# host direct.exploit-db.com
direct.exploit-db.com has address 67.23.70.60
============

sometimes u can check : mail.domain.com

other method is using nmap dns brute force script
http://nmap.org/nsedoc/scripts/dns-brute.html


for a long aged domain web can also check hosting history at netcraft . 
e.g:

http://toolbar.netcraft.com/site_report?url=http://www.anti-sec.com

considering the above pattern u may notice this


28-Feb-2010  ---------------->  	77.78.103.253				
and 1-Mar-2010 ----> 77.78.103.117


at 11 nov 173.245.61.112 -> cloudflare

then u may consider about 1-255 guessable ?? the probability