Cloudflare DNS allowing abuse from unauthorized individuals?

GWhiz · 2017-08-09 19:24:48 UTC

I decided it was time to find out what the heck is going on, and why it has not been addressed.

Yesterday, I received a DMCA notice for a .net domain which I had on Cloudflare and I had directed to an active .com website. I found my domain was no longer pointing at the correct website, and it appears there are two issues which lead to the redirection of my domain.

# 1 - Cloudflare had dropped the domain from my account.

The name servers for ~ snip ~ no longer point to Cloudflare. They now point to:

DNS1: [not set]
DNS2: [not set]
DNS3: [not set]
DNS4: [not set]
DNS5: [not set]

As this account was created a long time ago, the email assigned to it was not being monitored. I’m not the first person to receive a false positive.

http://www.reddit.com/r/webhosting/comments/4hzogn
http://forums.whirlpool.net.au/archive/2408904

So how much checking is actually done before dropping a domain from an account?

# 2 - Some other person was then able to add my domain back into the Cloudflare DNS system, and pass or bypass verification.

I first noticed this type of activity about a year ago with one of my domains, but didn’t think it was that wide spread until I noticed it again a few months ago. This is when I decided to do a little digging.

dig -t NS @a2.org.afilias-nst.info kettle.org
;; AUTHORITY SECTION:
kettle.org.             86400   IN      NS      boyd.ns.cloudflare.com.
kettle.org.             86400   IN      NS      gwen.ns.cloudflare.com.

dig SOA @boyd.ns.cloudflare.com kettle.org
;; ANSWER SECTION:
kettle.org.             3600    IN      SOA     algin.ns.cloudflare.com. dns.cloudflare.com. 2025384261 10000 2400 604800 3600

dig -t NS @boyd.ns.cloudflare.com kettle.org
;; ANSWER SECTION:
kettle.org.             86400   IN      NS      algin.ns.cloudflare.com.
kettle.org.             86400   IN      NS      jule.ns.cloudflare.com.

That’s not my domain, but is one of the others I found with identical website content and with their DNS in the same condition.

Domains have been set to one pair of Cloudflare nameservers,
while Cloudflare DNS shows a different pair of assigned nameservers.

http://hosixy.com/2016/12/15/cloudflare-dns-compromises/

How has this problem remained quiet for so long? It doesn’t seem like something that would be flying under the radar.

cscharff · 2017-08-08 23:31:49 UTC

If you’d like to open a support ticket we’d be happy to investigate your issue. Please include the domains impacted, the account you registered the domains with Cloudflare for managing that domain and any email messages you may have received from us regarding the domain’s status.

sdayman · 2017-08-09 00:04:39 UTC

I’m curious about Issue #1, no name servers listed. Isn’t that something that was taken up with your registrar? When I point name servers away from Cloudflare, it seems to take several days (or more than a week) before Cloudflare finally drops my domain.

ryan · 2017-08-09 18:50:03 UTC

I can’t speak to this specific case, but generally there are several checks made before our system designates a zone for removal from the network. Typically this type of occurrence is related to some sort of renewal lapse or error on the registrar side, but I can’t say for sure. Looking forward to some more info from @GWhiz so we can investigate this instance.

victor2 · 2017-09-11 11:53:58 UTC

I have the same issue and cloudflare don´t help me.

Have @GWhiz get any help or get a way to find host IP?

ryan · 2017-09-11 19:29:00 UTC

Can you elaborate a little on your situation?

victor2 · 2017-09-12 09:13:59 UTC

@ryan

The site http://sigbritt.se/ is cloned to http://www.reach.qualityhealthcare.in . But also inserted abuse text and ads that harm companies.

All whois / DNS IP for the cloned site goes to cloudflare.

I report it to cloudflare.
After 2 weeks waiting I got this answer from Cloudflare.

“Cloudflare is a network provider, and does not host websites or content. We have no alternative information to provide for the hosting provider indicated, as the information is sourced from a WHOIS lookup of the IP address against the public WHOIS database.”

I also got a gmail address that didn´t work. That should go to the host provider.

Cloudflare only reply to 20% of emails sent to them, and also they don´t pass forward the real IP or Help at any point.
For me it looks like Cloudflare is protecting criminals. Cloudflare makes it possible to criminals to be anonymous and protect their illegal behaviour.

GoDaddy is the register of the domain and GoDaddy point that Cloudflare is the hosting company to the site http://www.reach.qualityhealthcare.in so it is up to Cloudflare to take action of the site.