Add an extra DNS check before allowing a Cloudflare zone to be created in an account
Benefit
You would prevent bad actors from hijacking your Cloudflare zone. This is what happened to us:
We put graham.ns.cloudflare.com and jessica.ns.cloudflare.com as NS records in our registrar for, let’s say, example.com
A few days had passed
Someone had added example.com as a zone in their Cloudflare account that also uses the “graham” and/or “jessica” nameservers
They had pointed our domain to pornography content
My suggestion: Whenever a Cloudflare zone is created:
A random verification string is generated
That string should be put as a TXT record in the domain registrar (next to the NS records)
Cloudflare should allow the zone to be created only if such a TXT record exists on the domain and matches
This way you prove to Cloudflare that you own the domain, because you’re the only one who has access to the DNS settings of the registrar and can add that TXT record.
This situation is already handled. If the nameservers set at the registrar are the same as any at the time of adding the site to Cloudflare, Cloudflare will request a different set of nameservers to be used for the domain.
In other words, adding a site to Cloudflare will always require the nameservers at the registrar to be changed to ensure the person adding the site has control of the domain.
It means they may be the same if you add the domain before setting the nameservers at the domain registrar (they usually are but may be different). But they will be different if the “usual” set are already set at the registrar.
If you think this didn’t work as it should, then raise a support ticket as only Cloudflare will be able to look at what happened in your case.
Do you have control of the domain now? If not, as I said, just add the domain again. You’ll get a new set of nameservers and you can set the new ones at the registrar to take control of the domain.