Hacker managed to get ip of deleted DNS A record

Hi, recently an hacker managed to get an ip from an A record that i deleted a month ago. How can i prevent this?

I hope the person didn’t have an access to your Cloudflare account? :thinking:

Furthermore, did you used the same IP for multiple service, like web service and e-mail?
Therefore, have had proxied :orange: hostname(s) related to the web service, while also :grey: (DNS-only) for the e-mail (as it shouldn’t be proxied)? :thinking:

If so, there are briefly described best practices for that particular case of using e-mail described at the link below:

Otherwise, how long have you been using Cloudflare for your domain name?

Nevertheless, there are techniques and tools to check a history of DNS records for a domain, if that’s the case.

However, did the person get an Cloudflare proxied IP or rather your origin host IP? :thinking:

Furthermore, do you experience some issues?

Did you used an unproxied hostname pointed to that origin host / IP in the process of the development phase or something else maybe?

In most cases, there is an option to pruchase an additional and different dedicated static IP address from our hosting/server providers which we can asign to our network interface of our origin host/server and use it (either as a main one). Therefore, update the IP on the DNS of Cloudflare and we’re good to go.

The ip he got wasn’t proxied. This specific DNS record was created in Cloudflare and deleted on Cloudflare. I talked to the hacker and he said he used a tool to check the DNS history.
I could change my server ip that’s one option. but i’m curious, is there any way to prevent people from seeing deleted records from my domain? or there are external websites logging DNS records constantly and out of Cloudflare’s control?

Nobody got a hold of your deleted record from Cloudflare. It was a publicly advertised DNS record that was logged at some point, just like almost everything else on the Internet.

To prevent this:

  1. Never send email directly from that server.
  2. Never unproxy that record, or otherwise broadcast that IP address in association with your domain name.

To protect that IP address, firewall it to only allow connections from the IP addresses listed at cloudflare.com/ips

Even better, use a Tunnel so the server is completely unreachable, except through your Cloudflare account.

1 Like

There are numerous sites that collect and store the data.

Absolutely. They even sniff DNS lookup traffic to find hostnames. I have wildcard subdomain DNS entries for all my domains, and if I do a single nslookup for a bunch of keyboard-mashing like asodifjoqwjfoqwijfosadjfoijwq.example.com, within a few hours my server will start receiving HTTP and HTTPS requests for that “asodifjoqwjfoqwijfosadjfoijwq” subdomain from multiple different automated web spiders and security scanners. With the one that identifies as “Expanse, a Palo Alto Networks company” being the most aggressive of them. They’re still trying to scan bogus subdomains from nslookup typos I made two years ago.

Who is they?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.