Nameservers pointing to another IP

adrian.allen2010 · February 15, 2021, 9:14am

One of my websites randomly is going to another IP address, when I do a DNS check, I can see the name server A record is setup point to two IP addresses which aren’t setup on my account. I tried setting up the domain again and got new nameservers, which worked fine and pointed to my site, but I checked again yesterday, and I can see that these new nameservers are now also pointing to this alternative IP again, so my domain keeps being redirected to another (Spam) server. Does anyone know how can I stop this and where this other A record is coming from that is linked to my nameservers?

The IP starting with 104 is the correct IP.

;QUESTION
magicfootball com IN A
;ANSWER
magicfootball com 300 IN A 104.21.73.33
**magicfootball com 300 IN A 172.67.157.112**
;AUTHORITY
magicfootball com 172800 IN NS george.ns.cloudflare.com.
magicfootball com. 172800 IN NS jocelyn.ns.cloudflare.com.
;ADDITIONAL
george.ns.cloudflare.com. 100467 IN A 108.162.193.167 ???
**george.ns.cloudflare.com. 100467 IN A 172.64.33.167**
**george.ns.cloudflare.com. 100467 IN A 173.245.59.167**
george.ns.cloudflare.com. 100467 IN AAAA 2606:4700:58::adf5:3ba7
george.ns.cloudflare.com. 100467 IN AAAA 2803:f800:50::6ca2:c1a7
george.ns.cloudflare.com. 100467 IN AAAA 2a06:98c1:50::ac40:21a7
jocelyn.ns.cloudflare.com. 104973 IN A 108.162.192.174 ???
**jocelyn.ns.cloudflare.com. 104973 IN A 172.64.32.174**
**jocelyn.ns.cloudflare.com. 104973 IN A 173.245.58.174**
jocelyn.ns.cloudflare.com. 104973 IN AAAA 2606:4700:50::adf5:3aae
jocelyn.ns.cloudflare.com. 104973 IN AAAA 2803:f800:50::6ca2:c0ae
jocelyn.ns.cloudflare.com. 104973 IN AAAA 2a06:98c1:50::ac40:20ae

fritexvz · February 16, 2021, 9:54pm

If using Cloudflare and if is at your DNS records, the Cloudflare uses as much IP addresses so it is possible sometimes returns out to have two ot three as a return, either if you have only one IP address added to your record at Cloudflare DNS dashboard.

Some domains may see three Cloudflare IPs, usually two starting with 104. and one starting with 172. They can even change from month to month.

https://www.cloudflare.com/learning/dns/glossary/round-robin-dns/

adrian.allen2010 · February 16, 2021, 9:54pm

Thanks, I managed to figure out that the IP was cloudflare. What I also noticed was that the redirect was actually caused by caching from the DNS.

What was strange is the fact that I had removed the site from Cloudflare and it appears it was setup by someone else using the same nameservers. I checked the IP it had been pointing too and discovered 10,000 other domains pointing to this same IP.

So, if you remove a site from cloudflare and someone re-adds it, is it possible the same nameservers that were used are allocated?

Anyway, thank you very much for your answer. I will mark it as the solution.

sdayman · February 16, 2021, 10:00pm

It’s always risky to delete a domain from DNS without changing name servers at your registrar. While Cloudflare has MANY combinations of name servers, and it’s unlikely someone will stumble upon your deletion, there’s a chance someone else may leap at the chance. Much more likely when you host at a place that has a very limited Name Server selection, like ns1.host.com and ns2.host.com.

system · February 17, 2021, 10:01pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.