DNS records (other than @ and www) are not protected! Cloudflare, are you there ? :)


#1

There is a basic thought that putting DNS records behind Cloudflare, those records/ip are protected and no one can see those.

In fact, those are not protected at all. It is extremely easy to add someone else’s domain and voila, all DNS records will appear. Even those with Cloudflare status activated because the web script get’s the info from database directly.

There is no verification of the domain once it is typed a second time, etc.

Neat ?
Cloudflare, I expect a discount. Lol.


#2

“It is extremely easy to add someone else’s domain and voila, all DNS records will appear.”

Yes, that means the true IP’s as well.


#3

Can you provide a steps to reproduce?

I just attempted this with two domains on my account and no origin IP addresses were exposed, nor were gray clouded records not in the list of common hosts we would scan from any DNS server.


#4

@cscharff I was able to do this (i think) with cnn.com and xyz.com (just the 2 domains I tried). Just add the site and let the scan complete and you will see a lot of info. Not sure if these are origin IPs but I can see all of cnn’s subdomains and CNAMEs…


#5

Surely those are origin IP’s. :slight_smile:

And again, the origin IP for @ and www cannot be “seen” but anything else, for sure :slight_smile:


#6

For instance, if you have any cpanel.{domain} or api.{domain} and so on:

  1. DNS records get visible
  2. Origin IP’s get visible.

#7

access.cnn.com points to 64.20.247.69 Automatic

But the actual hack is even beyond this.


#8

Ah, but CNN does not use Cloudflare network.
Give me one domain with “secret” subdomains using Cloudflare and I will give you back all those subdomains and origin IP’s.


#9

Yeah I tried hitting some of the CNN IPs to no avail - I’m guessing they are behind load balancers or something :man_shrugging:


#10

So, one is the fact that it shows internal subdomains.

However, the second issue is that if one person will follow a lot of domains hosted at Cloudflare and wait for those domains to be deleted, then that person can add those domains in their account (of course, there is some work to be done to match the same two DNS servers, which will require to open more accounts at Cloudflare in order to get different/random DNS servers).

From SEO perspective, this bug is a GOLD MINE.


#11

I’m confused.

Clodflare masks origin IPs. If the nameserver of the domain is set to cloudflare, and the zone is protected by cloudflare, the origin IP of that zone is not given out during a DIG or NSLOOKUP.

So what’s the issue?


#12

OK lets try with mine. Add webveteran.com to your account and tell me the origin IPs for zones “cdn” and “media”. They are orange-clouded in my account.


#13

This is being looked at but I may not have a response to share until after the weekend. Stay tuned.


#14

When you add a site to Cloudflare we scan for DNS records for that domain. This is what is presented to you on the dashboard as Step 2 - Verify DNS records. These records are built from public records for the domain, this means when you scan a website that isn’t on Cloudflare you are seeing public facing DNS records. Yes that may mean origin server IPs are shown but remember these sites aren’t on Cloudflare. When you add a site to Cloudflare that is already using Cloudflare, only common public facing DNS records will be imported. This DOES NOT include orange clouded records. Thus orange clouded DNS record values are not exposed.

If you still believe you have found some kind of legitimate security-related issue we encourage you to file a complete and reproducible report for our security team via our responsible disclosure program here: https://hackerone.com/cloudflare


#15

Thanks for the explanation!


#16


#17

@xaq, * is never protected so that doesn’t count. What about zones “cdn” and “media”?


#18

I’m not a security expert but these info should not be leaked AFAIK. Since CF assigns dns servers randomly someone may get more by brute-forcing until get the right dns servers.


#19

A domain with no wildcard zone names should have no exposed IPs. Try gravitywebworks.com


#20

google-site-verification=xxxxx

value replaced by me