Domain Hijacked from CF Account

I have reported this to Support (1457273) but the response is not very helpful nor taking the matter seriously! Now been waiting for 4 days for a response hence resorting to the community!

One of our Domains disappeared from our Accounts and was pointing the domain to a different server. My initial thought was that the domain was hijacked at domain level but this was not the case, domain is still owned by us and pointing to the two NS Servers specified by CF.

Now what seems like a reasonable verification method in my mind might be a huge security flaw!

When you normally add a domain to your account you simply enter the domain and it copies all existing records, you then change the NS records to point to the specified CF NS servers to confirm you own the domain and you are done!

Now is there a Security Flaw here?

If another customer of CF which uses the same CF NS Server Combination they can simply take your domain, change the NS Records and point it to a different server! Why? Because the verification is complete, the domain already has these NS Records!

So how did I get the domain back in my account? Did CF offer any help? No, they did not!

I just added it to my domain and it returned to my account, it lost all of the NS Records so I had to manually recreate them!

I would really like to hear from others on whether this is plausible as I have no other explanation for what happened and as CF is not taking this seriously I will have no alternative but to move all my personal as well as paid company domains away from CF.

Thanks for your input!


It’s a very slim chance someone has the same combination of name servers. Only someone from Cloudflare could definitively answer this question, but I think it’s such an obvious attack vector that they’ve already found a way to prevent it from happening.

I’m curious as to how it was possible that other sites were presented when visiting your URL. What was Support’s response?

Thanks for your reply, unfortunately, I googled and found several domains with the same combination if name servers so even though it is slim it is possible.

It sounds like an obivous attack but doesn’t rule it out though, just something that was not encountered before.

All I got from response was:

You would not be able to control another customer’s domain based on the name server information. The only way a domain can be moved to another account is if they have access to that domains registrar/host server.


Which is all i got, no response to my arguments that I managed to get the domain back the same way I lost it.

That’s not the way you lost it. Your domain registration expired and failed our check to make sure it’s nameservers were pointed to Cloudflare. An email warning was sent and the domain was marked as deleted when the situation was not rectified in time. The domain was subsequently renewed at your registrar, but was no longer associated with your account.

I apologize that we did not respond to the request from someone who was not the zone owner at the time they contacted us in the 29 minutes between your initial inquiry and the time you emailed us to report that you had added the domain back to your account.

I’ll provide more detail in your support ticket.


Just out of curiosity, in a situation like this, can a second user who has been coincidentally assigned the same two nameservers add the deleted zone to their account? It could be prevented if they were assigned two different nameservers for that zone. (At increased risk of user confusion.)

The system automatically checks to make sure that an existing domain and name server combination is not re-used if that domain is added to another account.

1 Like

But is it “existing now”, or “existed recently”, or “existed ever”?

Beyond the last account to successfully validate the NS records for a domain it doesn’t matter from a reuse standpoint.

I can’t speak to the precise timing, but it is intended to allow legitimate ownership transfers.

Thanks Chris for responding to my ticket with further information and can confirm after looking through the history of the domain the registrar did suspend it for a period of time. It still doesn’t explain how the domain was used by someone else and pointed to a different site? I have asked for further clarification in the ticket.

That’s my view as well… but the reading is intresting :wink: is this a new movie coming out; the invisible name server of the dark web just like the netflix movie “the invisible guest” check it out.

wao that’s a pretty good response; would the hosting send a notification of the expiration to the victim as well? base on the information the victim should have receive a warning from the hosting company as well as from CF but did the the victims request or support ticket from CF included information about the expiration status you received after performing the domain check? BASED ON THE THREAD YOU DID. I believe the victim is running a lot of services and needs to delegate some responsibility to his close one to avoid similar situations. The reading is interesting and Im just going by the facts and learning as I go along; if 29 minutes passed the support ticket will have included the details to aid the victim in resolving the issue sooner as well as the email from the hosting company which we don’t know it exist but thanks to his capacity and logic he got the server back and running. Wao Im impressed from the victims side; well done… DUM DUM HERE READING AND LEARNING :wink:

First post, love CF. Would appreciate any insight in to this issue.

Pretty sure this exact situation just happened to me. Here is what it happened:

  • Noticed traffic to my site stopped today.
  • Checked the site and it was loading a completely different site not owned by me (PANIC)
  • Checked domain registration and it was OK.
  • Checked name servers and they pointed to CF
  • Checked application and it was OK (checked direct to herokuapp location)
  • Logged in to Cloudflare and the site was not listed in my settings.
  • Checked the audit log and noticed that the ZONE for my sites domain had been deleted. There was no login prior to this action so I assume it was automated.
  • Reviewed the date it was deleted. Domain had expired 7 days prior.
  • Checked email and I had received a message the day it expired from CF saying name servers no longer pointed.
  • However I re-registered the site within 10 days, assumed everything was working (didn’t recheck CF, just assumed it was working)

Apparently the site was not working (since April) and CF had deleted my zone.

1 question and 1 suggestion.

Question, after my zone was deleted how would someone have routed traffic to a different site? I was able to add my zone back so I assume the attackers don’t have CF account with that domain (or it would have not allowed me to add it back). So how does an attacker route traffic based on old name servers pointed to CF where CF does not have a valid domain zone?

Suggestion, this is all obviously my fault, but maybe adding a notification email when a zone is automatically deleted would be helpful in addition to the name servers no longer pointed email.