CloudFlare pulled some non-existent weird A-records from DNS

andrej · April 20, 2020, 8:38pm

Hi,

upon setting up new testing site, I started Cloudflare add new site wizard, it started queriying for existing DNS zone A-records…
…and found hundreds of not random, but meaningfull A-records, which do not exist in any of current DNS zones, like you see here. I changed real domain name with “domain.com” and real public web server IP with “123.456.789.10”. Here’s just part of those, but you get the point:

...
files.domain.com.	1	IN	A	123.456.789.10
forum.domain.com.	1	IN	A	123.456.789.10
fr.domain.com.		1	IN	A	123.456.789.10
ftp.domain.com.		1	IN	A	195.246.15.125
game.domain.com.	1	IN	A	123.456.789.10
git.domain.com.		1	IN	A	123.456.789.10
gitlab.domain.com.	1	IN	A	123.456.789.10
go.domain.com.		1	IN	A	123.456.789.10
help.domain.com.	1	IN	A	123.456.789.10
home.domain.com.	1	IN	A	123.456.789.10
host.domain.com.	1	IN	A	123.456.789.10
i.domain.com.		1	IN	A	123.456.789.10
icontrol.domain.com.	1	IN	A	123.456.789.10
id.domain.com.		1	IN	A	123.456.789.10
images.domain.com.	1	IN	A	123.456.789.10
imap.domain.com.	1	IN	A	123.456.789.10
img.domain.com.		1	IN	A	123.456.789.10
in.domain.com.		1	IN	A	123.456.789.10
info.domain.com.	1	IN	A	123.456.789.10
intranet.domain.com.	1	IN	A	123.456.789.10
ipv4.domain.com.	1	IN	A	123.456.789.10
it.domain.com.		1	IN	A	123.456.789.10
jenkins.domain.com.	1	IN	A	123.456.789.10
jira.domain.com.	1	IN	A	123.456.789.10
jobs.domain.com.	1	IN	A	123.456.789.10
l.domain.com.		1	IN	A	123.456.789.10
live.domain.com.	1	IN	A	123.456.789.10
local.domain.com.	1	IN	A	123.456.789.10
localhost.domain.com.	1	IN	A	123.456.789.10
login.domain.com.	1	IN	A	123.456.789.10
...etc

I own those DNS servers, all are MS DNS servers and I examined DNS servers and DNS zone files - there’s nothing like any of those records in any of 3 DNS servers! Nothing, it’s plain simple domain with A-record for domain, additinoan A-record for www and…yes and WILDCARD record for *.domain.com, all those pointing to “123.456.789.10”.

Where did Cloudflare pull those records from?
This looks to me like hacking or phishing attack on domain, but how can I tell?
Ideas welcome.

cs-cf · April 20, 2020, 8:47pm

Cloudflare scans for the most common ~= 2k domain names while performing an import unless you’re using the command line to create a zone and skip the quick start option.

andrej · April 20, 2020, 9:03pm

Hmmm…which means, WILDCARD *.domain.com A-record is the cause of all that? I makes it all logical from that point of view, I did not think of it.
Thank you, @cs-cf

BTW…any idea how to quickly delete all those in one go?

EDIT: Nevermind regarding quick delete - I simply removed wildcard *.domain.com record from original DNS, removed domain from CF, and re-added it.

system · May 20, 2020, 9:03pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
2 pages of random A-records detected – has anyone seen this before? DNS & Network	6	2670	December 21, 2019
After adding a site, i see strange A-records? DNS & Network	2	1857	April 29, 2020
Incorrect DNS records added to existing site when adding new site DNS & Network	3	132	June 26, 2024
Non-existent DNS Record Found When Adding New Site To Cloudflare DNS & Network dns	3	2385	March 8, 2019
Removed 2 A records from my Cloudflare but the still show up in DNS Lookup DNS & Network	7	1631	December 18, 2022

CloudFlare pulled some non-existent weird A-records from DNS

Related topics