One of domain names is being hijacked

dash-dns
#1

I was hosting one of my domain names (gamers.pk) on Cloudflare some time ago. But then I removed it from the Cloudflare panel and I just got a call from my registrar that a porn website was being served at my domain. I just check and the domain is indeed serving pornography. But the name servers are still the same, the default ones for my account.
Cloudflare should’ve stopped serving the website when I removed it from the panel but more importantly how is someone able to serve content on my domain name!

1 Like
#2

You need to contact support for this. do you still have control on the registrar info? If so, you could change the domain name name servers, and will block the issue.

#3

Which nameservers were issued to you?

Cloudflare currently announces tara and wesley, whereas you (or somebody else) set art and dina.

#4

The way it seems it would appear as if you were issued art and dina. At this point I assume you simply removed the domain from Cloudflare but kept the nameservers. Now it would seem somebody added the domain to Cloudflare once more about a month ago and had tara and wesley issued. Assuming these were never set with the registry I’d believe the domain shouldnt have validated for that new account, yet (going by your description) it still appears to work for it.

I woud clarify this with support. Additionally I’ll also tag @cloonan.

Assuming you do not want to use Cloudflare any longer I’d suggest you simply change the nameservers at your registrar.

1 Like
#5

@sandro thanks for explaining. I was issued art and dina nameservers and as you said I removed the domain from my account but the nameservers still remained the same. So, the domain shouldn’t have been validated for someone else.
I’ve just changed the nameservers to another service.

#6

Currently the nameservers still point to Cloudflare, but maybe it takes the registry some time. I’d definitely suggest to check in a while again whether the change really went through.

Thanks for the confirmation of my assumption. In this case the domain shouldnt have become active on the other account and maybe @cscharff or @cloonan can shed some light.

#7

+1 to the suggestions to change the name servers with your registrar away from Cloudflare. I do see the zone was in your account, @raees.bhatti. In order to remove a zone from your account, change the name servers and then remove it from the dashboard. Here is what I see currently on name servers:

$ dig ns gamers.pk +short
wesley.ns.cloudflare.com.
tara.ns.cloudflare.com.

But, pknic.net.pk shows your name servers (that’s good, someone is trying to squat on your domain, but does not have control at the registrar.

	Nameservers	 	 
 	art.ns.cloudflare.com    
 	dina.ns.cloudflare.com
#8

The question would be though, how come the domain did validate for that other account? Cloudflare does announce that different pair of nameservers (which presumably belongs to the other account) and applied that account’s settings (either IP address or redirects) which led to the content in question being served.

My understanding would be the domain was removed and Cloudflare shouldnt have answered requests for it anymore. And even if somebody else added in on that different account it shouldnt have validated over there as the nameservers never changed.

Could there be a possible issue in the validation in such a case?

1 Like
#9

I’m investigating a bit more, I’ve not seen this particular set of circumstances with name servers, but the zone is not validated on Cloudflare at the moment.

1 Like
#10

We have seen this before mostly with expired domains for a short period. I had a post on this which was deleted by myself after @ryan shed light on how validation process works.

1 Like
closed #11

This topic was automatically closed after 30 days. New replies are no longer allowed.