Need clarification on the permissions for deleting DNS entries

Need some help understand the permissions needed for deleting DNS entries.

As shown in the screenshot, it looks like anyone in our company could sign up in CloudFlare and delete our DNS records (including contractors who have use our email domain). Is there any permission imposed on this delete command so that only a CloudFlare admin in our company can delete/edit the records? If yes - how do we enforce that?

Hi @ajay.vasudevan,

I’m not sure what you mean, Your Cloudflare account access is not controlled by domain, but by user (potentially unless you have SSO on a custom Enterprise setup). Only people you add to your account can make changes.

2 Likes

Even then you have to add each user and assign them permissions.

1 Like

I think the concern here is that it looks like anyone in my company can create an account using our company email and get access to the DNS panel - where they could potentially delete our records.

So, the question I have is - how do we enable permissions on CloudFlare such that no one else can edit/delete our DNS records?

That’s pretty much what you said the first time around.

How would they get access to your DNS panel? Your site’s account here only has one email address for the login. How would someone else from the same domain gain access? Just because your username (email address) has the same domain as the site in the plan, it doesn’t mean that anybody with an email address in that domain can log into your account.

2 Likes

@ajay.vasudevan I think you are misunderstanding what you are seeing here - one of Cloudflare’s services is that we can be your authoritative DNS provider for your domain.

Anyone can attempt to add a domain to Cloudflare, but they will not be able to change your real DNS records unless they have access to switch your domain’s name servers at your domain’s registrar. Without this, your domain’s DNS will be handled by your current DNS provider (e.g. whichever name servers you are pointing your domain to at your registrar) and if you are already using Cloudflare, it will be using the DNS configuration in your account and not anyone else’s.

In your case, your NS currently are:

😋 $ dig +short NS imagen.ai
ray.ns.cloudflare.com.
vera.ns.cloudflare.com.

Ray / Vera should be the NS assigned to you in your account. Anyone else signing up will get assigned a different set of NS and only if & when the name servers are switched at the registrar, would anyone have control over the DNS.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.