Domain takeover

guy3 2019-02-01 10:23:41 UTC #1

Hi There -

Something worrying & odd just happened to one of our domains - The domain was removed from my cloudflare account and the A Records were set to 185.156.43.162 (Warning: NSFW content on that IP!).

The domain is registered on GoDaddy, and had the DNS set to point to gabe. and pat.

Since it was missing from my domains list, I was able to add it as a new domain and immediately update the DNS and MX records back to what they should be. Which is working as it should now.

So two concerns here:

How did the entry get changed and the domain removed from my cloudflare account
How could I just add it back to my account and re-takeover the DNS records?

I have not touched any GoDaddy settings during this process at all.

Guy

sandro 2019-02-05 07:48:45 UTC #2

The domain presumably expired and had its nameservers changed, which made Cloudflare delete it but you should have got a notification for that.

It either rescanned it or re-activated earlier settings.

What is the domain in question?

guy3 2019-02-01 10:34:22 UTC #3

The domain did expire in October 2018. It was renewed fairly quickly.

The name servers have been set to gabe and pat before and after that.

I didn’t receive anything from Cloudflare about it being deleted (as far as I can see)

It seems a bit strange that since the DNS has been pointing to the CF name servers that someone could make a change like that, and that I could just add it to my account again and update the records back to how they were.

domain in question is gentianesolutions.com

sandro 2019-02-01 10:41:00 UTC #4

Can you quantify “fairly quickly”?

It would appear as if the nameservers were changed to the registrar for about a month in November. That is sufficient for the domain to be removed.

Cloudflare typically sends out reminders, so my guess would be you missed it for some reason.

guy3 2019-02-01 10:47:09 UTC #5

Fairly quickly means within a week - I don’t recall exactly.

Where can you find out DNS history for a domain?

sandro 2019-02-01 10:50:35 UTC #6

I understand, but that is plenty of time for the registrar to change the nameservers and if you havent changed them back immediately once you renewed they probably stayed the way they were.

So we seem to have the explanation for the deactivation. Unless you have deleted it I’d go through the November mails and check if there is a notification from Cloudflare.

guy3 2019-02-01 11:01:20 UTC #7

I suspect that I didn’t get a deactivation email since my account email uses the domain in question.

it still seems strange that, since the GoDaddy settings were pointing to CF name servers that someone else changed the records though?

sandro 2019-02-01 11:02:55 UTC #8

That can be a good reason. Generally I’d advise to use a separate address to avoid such issues.

If you need to know more details you could open a support ticket and maybe they can retrace that.

guy3 2019-02-01 11:05:08 UTC #9

How do you open a support ticket? I tried and failed and ended up here (thanks for the support by the way)

sandro 2019-02-01 11:08:49 UTC #10

https://support.cloudflare.com/requests/new

system closed 2019-02-15 10:23:43 UTC #11

This topic was automatically closed after 14 days. New replies are no longer allowed.