My company has DNS records hosted by CloudFlare. Last month, a team member inadvertently added two additional Cloudflare nameservers into our registrar’s nameserver configuration (for a total of 4) instead of only the 2 it was supposed to be. All 4 were legitimate Cloudflare nameservers.
Original Record: ian.ns.cloudflare aryanna.ns.cloudflare
New Record: ian.ns.cloudflare aryanna.ns.cloudflare tim.ns.cloudflare paislee.ns.cloudflare
5 days later, the domain showed as “Moved” and then 1 week afterwards, it was automatically deleted and then today it was purged. We did not know any of this was happening at the time until all of our DNS services went down. I have pieced most of this together from the log files in our Cloudflare account (pasted below).
2022-01-12T02:49:02Z 5e53bb44-5758-5401-b96a-6e86b01fc1a9 purge
2022-01-05T04:12:29Z 02e35763-496b-4c2f-bcdd-e3197906335b deleted
2022-01-05T02:49:02Z a47e7177-8dcd-4ba8-a7e2-3c67510dcd0b zone_delete:_certificate_pack_delete_requested
2022-01-05T02:49:00Z 4a9a3bd8-583c-57e5-ab96-01426a8bd1de delete
2021-12-29T02:48:57Z 8e339475-6d0a-57c0-8cb8-716df6b720f0 zone_moved
My question is this: we are trying to determine the root cause of the outage and would like to inquire if you can validate our theory that adding those two additional Cloudflare nameservers into the registrar would activate this sequence of events that transpired. The two correct nameservers that the domain was supposed to have were always there and never were deleted at any point.