Cloudflare for SaaS corrupted our domain

Hi - We’ve had continued issues with one of our domains ever since we connected render.com. From my understanding render.com uses “Cloudflare for SaaS” which allows them to take control over our Cloudflare domain settings like DNS records and/or SSL certificates in nondescript ways.

The problem for us is that Cloudflare for SaaS, or at least the provider has been able to “corrupt” our domain without anyway to revert.

After connection we instantly saw various parts of our domain and subdomains with various SSL, 404 and 1001 errors. We’ve seen similar fetch request error’s in connected Workers and a 404 issues with a connected Shopify site.

This may sound a little vague but without any messaging about what “Cloudflare for SaaS” is overriding in our account we are struggling to understand what is occurring internally to help us solve this.

So for us to regain control of our domain, I have these questions:

  1. How can we identify that “Cloudflare for SaaS” is overriding our account and what it’s actually doing?

  2. How can we disconnect “Cloudflare for SaaS” from our Cloudflare domain? (We’ve tried removing dns records and even tried even deleting the domain in cloudflare and re setting up)

On a side note - this some what feels specific to our domain but we’ve been waiting over 2 weeks for emailed support help on our PRO domains - is this normal? Hoping these public forums can help shed some light - thanks!

1 Like

I still don’t have answers to my questions unfortunately.

Saying this we’ve been able to regain control in our Cloudflare’s admin by disconnecting render.com from their end. I’d like to think Cloudflare could be the point of truth of the domain (incase we lose access or support from these providers) but “Cloudflare for SaaS” challenges my notion on this - I’d still love to know more to re-gain confidence.

If I had to sum it up, I’m guessing, setting up a wildcard dns entry with render.com seems to have given our whole domain control over to render.com, even when the DNS spec states that a wildcard dns record should act as a fallback to defined records. It even wiped our other “Cloudflare for SaaS” connected Shopify record. This post also touches on this Render unauthorizedly overwrote the DNS zones on Cloudflare - #15 by michael

The issue here is due to the Certificate and Hostname Priority within Cloudflare.

Once you authorise a SaaS provider to control a hostname you as a user have limited ways to undo that authorisation. The SaaS provider should release the hostname once you remove your hostname from their setup, as Render did for you. You could probably load a Custom Certificate if you have that option on your plan, and I suspect that would take control back into your account, but it is not something I have tested.

It is something that has been discussed several times, and I personally think there should be an indication in your Dashboard to show the SaaS controlled hostname, with the option to release the SaaS provider. I think I have heard mention that something along those lines in in development, but I cannot find the reference.

1 Like

This is refreshing to hear something related to our situation Michael - thanks for this and the link which is filling in a some more gaps in my lack of understanding. Glad to hear Cloudflare are aware and looking into solutions even if it’s communicating this through the dashboard for starters

That is just my thinking. What Cloudflare are planning (if anything) may be different.