A subdomain exists that does not appear in my host cPanel or the CF DNS interface

DNS & Network
#1

Hello

I discovered that there is a subdomain: dc-35fb9f3c2027.domain.com , that was found on an email blacklist.

But this subdomain does not exist on my host server, checked by host support team.

The subdomain is also not listed in the CloudFlare DNS interface.

So is it possible there is a backend subdomain on CF that is being abused in some way ?

Thank you for your assistance.

Tim

Blacklisted with subdomains that I can't find in my CF DNS or elsewhere
#2

Nope. If you attempt to set a mail server to Proxy (:orange:) status, Cloudflare will create one of those dc- records in order for your domain to receive email. I don’t know why one of those would ever end up on a blacklist because those are for inbound email only and can not be used for outbound mail.

#3

Thanks for chiming in @sdayman

Also the MX record is set to “DNS only”.

mxtoolbox.com says the subdomain is “Blacklisted by UCEPROTECTL3”

Do you know how I can investigate/troubleshoot ?

#4

MX records are all DNS-Only. It’s the hostname it points to that’s often Proxied when it shouldn’t be. But without knowing your specific DNS configuration, we can’t assist.

You’d have to explore how the UCEPROTECTL3 list works.

#5

I’m happy to provide required information. Which specific DNS configuration do you need to see ? Is it ok to post that info here ?

As I understand it UCEPROTECTL3 blocks IP ranges if an IP within that range is flagged.

As it stands I don’t currently see how I can control this unknown subdomain created by CF, other than ceasing to use the CF service.

#6

If you can post a screenshot of all your DNS records, that would speed up troubleshooting. Go ahead and black out your IP addresses.

#7

Here you go, though I think the IPs are easily discovered:

FireShot Capture 003 - DNS - globaltimoto.com - Account - Cloudflare - Web Performance & Sec_ - dash.cloudflare.com
FireShot Capture 003 - DNS - globaltimoto.com - Account - Cloudflare - Web Performance & Sec_ - dash.cloudflare.com1056×1364 83.4 KB

#8

The MX record for your domain points to the naked root, which is proxied (:orange:). So Cloudflare created the dc- record with your actual IP address as a substitute so email can be delivered.

Your MX record should instead point to mail.globaltimoto.com

1 Like
#9

Thank you @sdayman

So now that I’ve changed it to name:“mail” server:“globaltimoto.com”, will that spurious subdomain be removed ?

Is there a Terminal command I can run to check ?

#10

That’s backwards. The domain should point to the server ‘mail’.

#11

I tried that but got this response:

cf-mx
cf-mx1063×261 11.4 KB

So do you mean name: “globaltimoto.com” server: “mail.globaltimoto.com” like this ? :

cf-mx-2
cf-mx-21020×216 5.86 KB

1 Like
#12

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.