Cloudflare Pages, how is ownership of custom domain verified?

I have created a Cloudflare Pages project. and I entered that I have a custom domain that I would like to use for it. I understand that Cloudflare creates some certificate that covers my custom domain (either a universal or a dedicated one), but how does it verify that I am indeed the owner of this domain?
Or is there no need to check. since perhaps its assumed that I am the only one who can configure the nameservers at my Registrar’s portal?

If the zone is added to your Cloudflare account and the pages projects are on the same Cloudflare account, the fact you can add the records is enough proof for Cloudflare to issue the certificate (Especially if you have 2FA enabled)

when i created the Cloudflare pages, I provided a custom domain name that I bought at another registrar, and it worked. I could have typed any domain there.

If that works, but the issue is Cloudflare won’t issue the certificate until the DNS record has been added (which you could only do if you controlled the domain)

I removed all DNS records from my registrar’s portal, and I added DNS records in cloudflare. The only thing that could tell Cloudflare that the domain is mine, is that in my registrar’s portal I configured Cloudflare’s nameservers to be used. But I’m not sure that’s how it works. After all. there are probably other people that own different domains that also use cloudflare’s DNS (and therefor have the same configuration with their registrar as me)

Hi @jvanloofsvelt,

Changing the nameservers to the ones given by Cloudflare does confirm the ownership of the domain.

The pair of nameservers you are given tell Cloudflare that you own the domain.

With all these combinations, it’s unlikely that anyone adding the same domain would be given the same pair as you, and there are measures in place to prevent this, even if it were theoretically possible.

2 Likes

Thanks for clarifying, that makes sense. So theoretically, if i create 2550 cloudflare accounts, I could hijack a domain? Or if I try to use 2550 domains, one will work?

Please, do read the full linked post. It explains it all.

1 Like

Umm… I would think that other protections may kick in, in that scenario :grinning_face_with_smiling_eyes:

That wouldn’t work, you should always be assigned a different pair if you add the same domain as another account, even if your accounts usually name the same nameservers.

Full details here:

4 Likes

Thanks everyone :slight_smile:

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.