Is it possible to scan the whole IP range to find a domain behind the CDN?

I am very curious if it is possible to find the real IP address of a domain “protected” by a CDN service.

For example, www.cnn.com uses Fastly service, and the domain name only resolves to a Fastly edge server’s IP. If I scan the whole 4 billion IP range, sending HTTP GET request with header Host: www.cnn.com, how possible it will be that I can find the real IP of cnn’s origin server?