Cloudflare DNS pointed to a scam domain before configuration

Hi - I bought a domain in the morning yesterday, and it was pointed to the previous Cloudflare NS I used (jasper/jade) automatically, before I configured it this morning to the correct nameservers

Somehow, it was assigned a DNS record that took it to some hosting provider that served a PHP file, which then redirected to a scam (assuming) site, https://bestbonus-zone.life/

My question is, how can this happen without any intervention? Does someone have a script to grab any new non-configured domains when they point to Cloudflare without an associated account? It’s extremely weird to see a brand new site just hijacked, so I want to know why it happened and who to raise the issue to.

We see similar reports from customers where the domain used an ssl for saas provider like shopify. That does not appear to be the case here, however.

Are you in contact with the person from whom you purchased the domain? It looks like they did not remove it from their site until it was automatically removed by you changing the nameservers. They can confirm this with you.

The domain was never previously registered. I verified this by looking at whois history. The domain was purchased, and the first ever A/AAAA any DNS record was hijacked immediately after the point of purchase. The seller was Porkbun, so at least somewhat reputable.

1 Like

Thank you, I want to ensure I understand the events properly.

First, can you share the name of the domain?

Next, I do not think I understand this line

You purchased a new domain and the nameservers were set to (jasper/jade) or you set them to (jasper/jade) first and then set them to some other namerservers?

I purchased the domain (BORI.DOG) on Sunday morning, and porkbun immediately assigned the jade/jasper NS because it is what my other domains purchased from them use. I don’t know the process but that is what they were set to when I checked this morning.
I went to configure the domain on Monday (today) and the domain had a full list of DNS records set, and hosting assigned, which redirected to the scam site.
I finished configuring my Cloudflare account to use that domain (and I changed the nameservers to the new ones that Cloudflare gave me during config), once the proxied DNS results were updated, the site loaded to my hosting.

1 Like

I am going to phone a friend that I know has used porkbun @sdayman. It seems odd a domain registrar would sell domains defaulting to cf nameservers if they are not Cloudflare registrar. @sdayman does that sound like porkbun standard operating procedures based on your experience?

:thinking: I do not see any other domains in your account that use the jade/jasper nameservers. Can you share a name of another domain in your account using that combo?

On first guess I suspect there are two different Cloudflare accounts in the mix given the two different sets of nameservers.

I have one Cloudflare account. The account is not compromised and uses 2FA.
My hosting is not compromised, nor is my porkbun account.
I hope is it abundantly clear that something hijacked this site to serve the php file that redirected to that other page. I did not touch a single thing from the purchase of the domain name until this morning.

Another porkbun-purchased domain is funnyvirus.cool. This is associated with jade.ns.cloudflare.com and jasper.ns.cloudflare.com

Configuration of bori.dog told me to use cody.ns.cloudflare.com and lily.ns.cloudflare.com.
I can’t explain it any other way, but when I clicked on the bori.dog domain this morning in my porkbun dashboard, it was set to jade/jasper.

1 Like

Thank you, looking further I do see the two sets of ns in use in your account.

Hoping to figure that out, but let’s get Support eyes on this too for some extra help, can you open a ticket via email to If you are a Cloudflare account holder, please submit a new support request from the email address you used to register your Cloudflare account. You should open a ticket directly through the Cloudflare dashboard following these steps: 1. Log in to your Cloudflare account and click on “Support” in the top right corner, from the drop down select Help Center. 2. Click on your name in the top right corner, and in the drop down menu select “My activities” where you will see your existing requests. 3. Scroll to the bottom of the “My Requests” page and click “Submit a request”., you will get an auto reply, respond to that with a link to this thread, Cloudflare DNS pointed to a scam domain before configuration and share your ticket number here so I can track it?

Yes, and there are some threads on this site talking about hijacking domains that use cf nameservers without the zone on Cloudflare being prone to being hijacked. I do know if that is what is happening here but agree it seems odd and why I want to get some Support eyes on it.

Understood, I do not see history of the change from jade/jasper to cody/lilly in the publicly available history, just first occurrence of cody/lilly showing up today, https://securitytrails.com/domain/bori.dog/history/ns.

Thanks cloonan, the ticket ID is [2453588] I was unable to make a “technical” ticket so this is an account ticket.

The good news it the hijack was easily reversed and the domains are in my control now, but it would be nice to prevent this kind of issue in the future. I’ll be glad to provide more information if needed.

1 Like

I think the issue here is that it sounds like the nameservers were set to point to Cloudflare before you added the domain to your account here.

This is not a good idea because you are pointing the nameservers to a service that you don’t yet control. Cloudflare has over 2,500 nameserver combinations but there are a lot more than 2,500 accounts. The nameserver pair you are changing to won’t be unique to you. This is why nameservers are domain specific, not account level. When you add a domain, by default you will use the same pair of nameservers as the rest of your domains, however if the domain has already been added to another accout with the same pair, you will be given different ones to point to. This ensures that the domain is always under the control of the rightful owner, but only works if you follow the correct process to add the site in your dashboard and then change the nameservers to the pair requested.

I have seen similar things reported quite a few times before and it usually turns out that the steps were done out of order - the domain needs to be added before you are given the nameserver pair to change to.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.