Cloudflare & DNS compromises

Feature Spotlight: Shared & Reseller Hosting – Part 1
June 18, 2017
Show all

Cloudflare & DNS compromises

Its been a long time since I wanted to start our official blog but it was always something being delayed, well finally the blog is here and we’re here with our first post!

I’m sure that this blog post will sound familiar to a lot of you that have experienced this issue and will hopefully help so that the number of cases where people experience this issue is reduced.

A lot of our members sometimes will register a new domain and point the nameservers of the domain to Cloudflare but we may delay adding it to our Cloudflare account or sometimes we may even have it set with our domain registrar that all new domains we register should point automatically to our Cloudflare nameserver set.

A member submitted a ticket recently saying that he registered a number of domains in the last weeks and a few where surprisingly loading sites and they definitely were not his own sites. Over the past year we have received a number of tickets describing the same issue.

In basic what occurs is that users with malicious intentions monitor new domain registrations and they monitor domains that are pointed to Cloudflare but not yet added in any Cloudflare account. (note: anyone can monitor new domain registrations, there are many companies providing this is a service)

When a domain is pointed to a set of Cloudflare nameservers but the the domain is not added in any Cloudflare account it basically means that anyone with a Cloudflare account can add the domain to their own Cloudflare account and Cloudflare will re-point the domain automatically internally to their own set of nameservers.

Users with malicious intent monitor that and they will automatically add them into their own Cloudflare accounts and benefit from free domains without the domain owner necessarily knowing about it since they wouldn’t be notified in any way that this is occurring – not only are these users benefiting from free domains but they could cause a permanent damage to the domain name as these users will 99% of the times host fraudulent sites – most domain registrars monitor this and will suspend the domain, not only this but you could receive a permanent penalty by Google and other search engines since they will see that the site is hosting a fraudulent site which in a SEO point of view its bad.

This same thing can happen with any hosting provider that has their own DNS servers, for example if a domain is pointed to our nameservers but the domain isn’t added in a hosting account – any customer with malicious intentions using our services can add the domain in their account.

How do I know if i’m affected?

That is a good question and a very important one!

Lets assume I purchased a domain mynewdomain.com on November 30th 2016 and I pointed the domain to my set of Cloudflare nameservers:

jack.ns.cloudflare.com
jill.ns.cloudflare.com

So up to now the only action I took was to register the domain and point it to my Cloudflare nameservers, I haven’t added the site on my server yet.

The first way you can understand that something is going wrong is when you try to load this newly registered site and it loads some site that you don’t own and is completely unrelated to you.

In this case my first step would be to go to a DNS checker such as http://leafdns.com – I would type my domain name in the field on that page and click on the “Go” button. It will then load the results of the DNS check we executed

Now have a look at what the parent nameservers and local nameservers sections are reporting, the nameservers in both of those sections should match up so in our case they should both report:

jack.ns.cloudflare.com
jill.ns.cloudflare.com

If the local nameservers section is reporting a different set of nameservers then it means that a user with malicious intentions has added the domain in their own Cloudflare account and is taking advantage of it to host his fraudulent site.

The Resolution

The resolution for this issue is to point the nameservers back to the default DNS of your domain registrar so that it shows their default parking page and wait 2-3 days (usually I personally recommend 7 days) so that Cloudflare detects that the nameservers no longer points to them and automatically removes the domain from the Cloudflare account it was added at and then you would point the domain back to your own Cloudflare nameservers and add it to your Cloudflare account.

I actually usually recommend either pointing the the domain to your set of Cloudflare nameservers and then immediately adding the domain in your Cloudflare account once you are ready to build the site or even better if possible first adding the domain in your Cloudflare account and then pointing the domain to your set of Cloudflare nameservers.

I hope that this has been useful for you! For any questions do feel free to leave a comment and i’ll answer them!

3 Comments

  1. Roger Gonzales says:

    Thank you very much, this will be very helpful, specially when we buy bulk domains.

  2. Ganti says:

    Thank you very much

  3. Anurag says:

    Thank you very much.

    I am dealing with this now. I know what mistake I did, lesson learned!!

Leave a Reply

Your email address will not be published. Required fields are marked *