DNS hijack on domains that never complete setup on Cloudflare

I had some domains DNS hijacked through Cloudflare. I pointed the nameservers at Cloudflare from the domain registrar, but never completed the setup on Cloudflare. I assumed they were essentially “parked” since no DNS records were set up. However, since the only owner verification is switching the nameservers to Cloudflare’s, someone else added my domains to their account and pointed them to websites with pirated content.

I understand this is user error. I should not have pointed the domains to Cloudflare without completing the setup (adding the domain to my Cloudflare account). As these existing articles state, it is the fault of the user, not Cloudflare:

But wouldn’t a simple check on whether the existing nameservers are already configured to Cloudflare during the adding of a domain in Cloudflare solve this issue? I understand this check is already done if the domain belongs to an existing Cloudflare account and there is an attempt to add the domain on another account, “The domain receives a pair of nameservers. This pair by default is the one of the account owner, but if the pair is the same as the account where the domain had been already added this pair is switched.” So, the nameserver pair is switched to a different pair to show ownership, and upon verifying the nameserver change the second Clouflare account is essentially taking over control of the domain from the existing Cloudflare account.

Why not extend this check to domains that have not previously been added to a Cloudflare account? E.g., example .com has its nameservers set to ns1/ns2. example .com has never been added to a Cloudflare account. A hijacker attempts to add example .com, Cloudflare finds the nameservers are already pointing to ns1/ns2 at Cloudflare. Cloudflare then requests a new pair of nameservers be entered to verify ownership. Hijacker cannot prove ownership and the site cannot be added to the hijacker’s Cloudflare account.

The one downside I see in this is when a user who is adding a new domain and preemptively adds Cloudflare nameservers during domain registration. If the nameserver propagates before the user adds it to their Cloudflare account, then they will have to reenter the new pair of nameservers back at the registrar. But this is a minor inconvenience and worth it, in my opinion, compared to who knows how many domains are currently hijacked with this user error.

What do you think?

I think the most secure way to have your domain in Cloudflare is to use Cloudflare Registrar.
If your TLD is supported by us, we can offer Custom Domain Protection to mitigate domain hijacking risk. (only available to customers with a Cloudflare Enterprise plan)


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.