CloudFlare pulled some non-existent weird A-records from DNS

Hi,

upon setting up new testing site, I started CloudFlare add new site wizard, it started queriying for existing DNS zone A-records…
and found hundreds of not random, but meaningfull A-records, which do not exist in any of current DNS zones, like you see here. I changed real domain name with “domain.com” and real public web server IP with “123.456.789.10”. Here’s just part of those, but you get the point:

...
files.domain.com.	1	IN	A	123.456.789.10
forum.domain.com.	1	IN	A	123.456.789.10
fr.domain.com.		1	IN	A	123.456.789.10
ftp.domain.com.		1	IN	A	195.246.15.125
game.domain.com.	1	IN	A	123.456.789.10
git.domain.com.		1	IN	A	123.456.789.10
gitlab.domain.com.	1	IN	A	123.456.789.10
go.domain.com.		1	IN	A	123.456.789.10
help.domain.com.	1	IN	A	123.456.789.10
home.domain.com.	1	IN	A	123.456.789.10
host.domain.com.	1	IN	A	123.456.789.10
i.domain.com.		1	IN	A	123.456.789.10
icontrol.domain.com.	1	IN	A	123.456.789.10
id.domain.com.		1	IN	A	123.456.789.10
images.domain.com.	1	IN	A	123.456.789.10
imap.domain.com.	1	IN	A	123.456.789.10
img.domain.com.		1	IN	A	123.456.789.10
in.domain.com.		1	IN	A	123.456.789.10
info.domain.com.	1	IN	A	123.456.789.10
intranet.domain.com.	1	IN	A	123.456.789.10
ipv4.domain.com.	1	IN	A	123.456.789.10
it.domain.com.		1	IN	A	123.456.789.10
jenkins.domain.com.	1	IN	A	123.456.789.10
jira.domain.com.	1	IN	A	123.456.789.10
jobs.domain.com.	1	IN	A	123.456.789.10
l.domain.com.		1	IN	A	123.456.789.10
live.domain.com.	1	IN	A	123.456.789.10
local.domain.com.	1	IN	A	123.456.789.10
localhost.domain.com.	1	IN	A	123.456.789.10
login.domain.com.	1	IN	A	123.456.789.10
...etc

I own those DNS servers, all are MS DNS servers and I examined DNS servers and DNS zone files - there’s nothing like any of those records in any of 3 DNS servers! Nothing, it’s plain simple domain with A-record for domain, additinoan A-record for www and…yes and WILDCARD record for *.domain.com, all those pointing to “123.456.789.10”.

Where did CloudFlare pull those records from?
This looks to me like hacking or phishing attack on domain, but how can I tell?
Ideas welcome.

1 Like

Cloudflare scans for the most common ~= 2k domain names while performing an import unless you’re using the command line to create a zone and skip the quick start option.

Hmmm…which means, WILDCARD *.domain.com A-record is the cause of all that? I makes it all logical from that point of view, I did not think of it.
Thank you, @cs-cf

BTW…any idea how to quickly delete all those in one go?

EDIT: Nevermind regarding quick delete - I simply removed wildcard *.domain.com record from original DNS, removed domain from CF, and re-added it. :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.