I found that I can add a domain to my Cloudflare account even when this domain is not mine. Then, I found that I could add any DNS records to this domain. These records are valid and deployed on two Cloudflare nameservers even before I change my nameservers to these two NS that Cloudflare assigned to me. I wonder if there are so many accounts( more than the number of Cloudflare NS pool ) that add DNS records to my domain, all CF NS is assigned to one account, then which NS will be assigned to the next account? Authoritative NS? What is the implementation?
That is incorrect. The records are not valid unless the authoritative nameservers are delegated by the parent zone.
Here is an excellent article for learning more about Cloudflare nameserver name assignment.
Thank you for your reply! Maybe my description is implicit. There is no doubt that DNS records are invalid unless the authoritative NS are changed, however, these DNS records can be seen on the nameserver Cloudflare assigned to the account. I use dig @xxx.ns.cloudflare.com www.xxx.com +tcp to check the DNS record on xxx.ns.cloudflare.com. Then I can see the DNS record I have just added though I don’t change nameserver. In this way, one account can change two nameservers’ DNS record. I want to know what will happen after all CF NSs are assigned? Thank you!
The names are just to authenticate the domain when it is added to an account as in the article @epic.network linked to. You can query any of the now 900 xxxx.ns.cloudflare.com names and get an answer for any Cloudflare hosted domain.
Add…
https://github.com/indianajson/cloudflare-nameservers/blob/main/cloudflare-names.txt
1 Like
Thank you for your reply! I’m interested in https://github.com/indianajson/cloudflare-nameservers/blob/main/cloudflare-names.txt and greatly thank you to tell me that there are 900 nameservers now. Let me give an example to explain my question more explicitly. Suppose that my domain example.com is using CF and it’s authoritative nameservers are 1.ns.cloudflare.com and 2.ns.cloudflare.com. Now, 449 adversaries sign-up new accounts and add example.com to their accounts. Then, they set DNS records and Cloudflare assign them two nameservers, ranging from 3.ns.cloudflare.com to 900.ns.cloudflare.com. Now, there is no nameservers in Cloudflare pool as adversaries consumed all 900 NS. Consequently, what will happen if the following adversary add example.com to his account? which nameserver will Cloudflare assign to him?
Cloudflare has security controls in place to prevent that scenario.
1 Like
You also greatly underestimate the number of possible combinations. You only accounted for sequential pairing.
For the sake of an example, let’s assume that there are two distinct pools of names to choose from and we will only use one from each. If each pool has 450 names, you have 202,500 unique combinations!
Thank all of you for the kindly help! I still have further questions to discuss with you. Firstly, @cscharff said that Cloudflare has security controls, as a security researcher, I want to know the detailed strategy. Is there any document for this problem? You can also give a feasible example to me to let me know it’s easy to prevent this scenario. Secondly, I agree with @epic.network 's insight, however, we should also consider a determined attacker who register 101250 accounts!
I learned some of the security controls while under NDA so I won’t be sharing them. This isn’t a particularly difficult attack scenario to protect against.
2 Likes
If there is, I wouldn’t expect it to be public.
That still leaves another 101250 combinations unaccounted for, and as @cscharff pointed out, detecting that many accounts with the same domain is quite trivial.
Same would apply all other DNS providers out there.
Some domain registrars are checking when you assign name servers, that the desired name servers actually respond (properly) to DNS queries, therefore, it is (sometimes) mandatory that the two name servers (Cloudflare setups), and any other name servers (other DNS services), for your set up will be responding DNS queries prior to the actual delegation.
Cloudflare is actively purging zones that were never delegated properly from the parent registry, as well as zones that have left it’s previous (but successful) delegation.
And, …
Is the highlighted part on this page enough?
This essentially means that if your account’s (typical) name servers were jane.ns.cloudflare.com and john.ns.cloudflare.com, if you tried to delegate the domain’s name servers to those, and after this delegation at your registrar, used the [Add a site] procedure on Cloudflare, then Cloudflare would detect that the domain was already pre-set to these name servers, and give you a different set of name servers, for example bob.ns.cloudflare.com and emma.ns.cloudflare.com.
2 Likes
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.