DNS NS records changed to Cloudfare without knowledge

I have come here having had a customer of mine have issues with their systems. Odd communication issues between old clients and servers dug around and found Cloudfare certificates, “wrong” IP addresses and that the NS records for domain had changed to Cloudfare which then of course was caching the servers and pointing other DNS entries through itself when they needed to go directly. The original DNS zones were still in place and correct but of course then ignored.

Anyway point of question. How? The UK domain registrar had not been logged into having checked audit logs but NS had been changed to Cloudfare on 25/26-Feb.

I logged ticket with Cloudfare but told unable to help it seems as the domain wasn’t in the account I just setup. If we knew what account might be including it we would already know!

So… can anyone here advise how that happened. Does Cloudfare have the ability to change NS records for domains (in this case a .COM, .CO.UK, and .NET, and how can I find out how – e.g. has someone such as a website provider of theirs in the UK setup a Cloudfare account and thought it a good idea to run their website through that?

I’m happy to share the domain name if needed but think best not to post it openly.

thanks!

Steve

Welcome to the Cloudflare Community. :logodrop:

I am sorry to hear about your mystery migration.

Cloudflare cannot update the DNS at your registrar. It would have to be done by someone with access to the registrar, which could include API access. It is unlikely that you will find any clues on the Cloudflare side. Your best chance for results will be through inquiry at the registrar.

Thank you for confirming. I wasn’t sure if there was some trust relationship between Cloudfare and registrars that allowed a shortcut. I am waiting info back from the registrar. The auditing showed no logins to their console for the company so hope they can see more too. The company’s domains were not locked (but are now…). It was more that the NS records had just been changed. The DNS at the registrar remained the same, but users resolved now using cloudfare cached/copy of zone.

Where do you see this? I looked at the closed ticket with Support and the domain you shared there, I do not see anything publicly available indicating a change, www.whatsmydns.net/ & https://securitytrails.com/, dig, whois. Only your registrar can change the namservers. Did the domain recently expire (and perhaps renewed by someone else?) But, once you hear from the registrar let us know.

2 Likes

Thanks. The world in general thought the NS records had changed from ns* domaincontrol com to clayton ns Cloudflare com and vivienne ns Cloudflare com (full names get blocked sending this). Those were resolving and serving up the websites from that domain to cloudfare addresses, having a cloudfare SSL cert and then accessing the real site as would expect from cloudfare proxy/caching.

The registrar denies that this is possible, and there are no logins to the domain control panel for a long time. The domains were not (are not) expired and still owned by the registrar and Whois correct.

I would think some kind of hacking attempt were it not for just being pointed at Cloudfare, AND that fact that cloudfare served up the pages as cached so surely someone must have created an account for it?

Steve

At 3am Sat 26/2 the records were changed since 25/2:

from
WWW from 5.77.50.121 to reporting [None] - it was probably a CNAME to root of domain?

NS from ns01 domaincontrol com, ns02 domaincontrol com
to clayton ns Cloudflare com, vivienne ns Cloudflare com

Doing a DNS lookup against two Cloudfare DNS above returns normal DNS entries from UK so I can only imagine somebody setup an account on Cloudfare for the domains and that somehow updated DNS, possibly as test or trial account?

Why, who knows!

The DNS is all correct now so any checks will of course show up right too. But certainly Sat, Sun, Mon it was Cloudfare!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.