Hijacked domain

DKTastic · February 21, 2020, 2:09pm

I noticed my domain had been hijacked.

My nameservers were updated to cloudflare a few days ago. I’m still working with my registrar to see how this was possible.

I noticed the name servers had been changed to cloudflare.

I had not been using cloudflare for this specific domain.

I attempted to register the domain in cloudflare and to my surprise I was able to add it to my domain.

I then noticed the configured A records pointing to a webhost in the Netherlands.

A few questions, how does one claim ownership for a domain in Cloudflare?

How was I able to assign the domain to my account if somebody else must have configured before me?

Could my account be compromised and somebody added the domain to my or an account, configured it and removed it but the configuration remained?

DKTastic · February 21, 2020, 2:14pm

Just a note that the name servers changed (the female/male) from when it was hi-jacked to when I took over the domain in cloudflare.

sdayman · February 21, 2020, 2:33pm

Hijacking a domain would be a two-step process:

A Cloudflare customer adds your domain to their account (this is the easy part).
That same person hacks into your domain registrar and sets your domain to use the two Cloudflare name servers assigned to them. (This is the hard part, and your issue is with your domain registrar).

#1 is the easy part because it doesn’t take effect until the name servers have been switched over. There are many legitimate reasons to let someone add any domain to their account, but remember that it’s a useless effort unless they have domain access at the registrar.

DKTastic · February 21, 2020, 4:32pm

But wouldn’t step 1 prevent me from adding the domain as well?

My registrar replied with “you have not been hacked, nothing to worry about, it was just a bug in our system”

cloonan · February 21, 2020, 5:01pm

No, a bad actor taking step 1 does not prevent the legitimate domain owner from also taking step 1. The key, as @sdayman mentioned is that taking step 1 is useless unless you also have the ability to take step 2 and change nameservers.

And, big thank you for closing the loop with the detail from your registrar.

DKTastic · February 21, 2020, 7:32pm

But if multiple users define the same domain with different ips… Which configuration is used?

I guess cloudflare is using multiple name servers but if several users end up on the same cloudflare name server… Who’s configuration wins?

domjh · February 21, 2020, 7:34pm

Hi @DKTastic,

whichever account has the nameservers set at the domain’s registrar.

A lot of different combinations!

Being on the same nameserver pair is very uncommon, but not impossible. However, the same domain won’t be assigned the same two nameservers on two different accounts.

More info at:

DKTastic · February 21, 2020, 10:50pm

Thank you all. I’m certain the main issue was with my registrar and not with cloudflare.

system · March 22, 2020, 2:09pm

This topic was automatically closed after 30 days. New replies are no longer allowed.

Topic		Replies	Views
Domain hijackers Security	4	2451	September 10, 2020
DNS hijack on domains that never complete setup on Cloudflare Feature Request Submitting & Feedback dns , DNS-Network	2	3659	July 23, 2021
My domain name is being hijacked DNS & Network dns	2	2490	August 6, 2019
DNS hacked - ownership under Cloudflare General	4	1130	August 16, 2023
Website Highjacked by another account (?) Security	10	1915	March 17, 2022

Hijacked domain

Related topics