Pointing NS to Cloudflare w/ No A Records Leads to Porn Spam

I’m having an issue where if I point my NS to Cloudflare but don’t have any A records set up, a bunch of porn spam links are being indexed on Google. This has happened on multiple domains now. How is this even possible? How do I prevent this?

Could you maybe give an example of a hostname where this happens and show your DNS settings for it, including your assigned nameservers?

Sure. Do a google site search for superiordrykilns.com.

https://www.google.com/search?q=site%3Asuperiordrykilns.com

See all those spam links? They don’t and never have existed but they are showing in a Google index. The nameservers were pointed to Cloudflare and we had zero DNS records in there for a few weeks. Somebody hijacked the domain somehow though. This has happened on multiple domains now.

Did you only change the nameservers, or did you actually add the sites to your Cloudflare account? There were problems some time ago where domains were taken over if people changed their nameservers before adding the domain to their account.

Cloudflare took measures to prevent this a few weeks ago, but it might still fit the time frame depending on when you changed your nameservers.

2 Likes

Okay, so I have some clarification from my team. Apparently the nameservers were pointed to Cloudflare. However, the domain was not actually set up in Cloudflare. It seems to line up with the issue you described above. So this has been fixed and it won’t happen again in the future right?

Cloudflare has taken measures to prevent this, but you should absolutely not point your nameservers to Cloudflare before adding the domain to your account.

It will simply not work in the future, as Cloudflare is now going to assign you new nameservers when you add your site and the nameservers already point to Cloudflare, to prevent people from doing exactly that.

You are often assigned the same nameservers for all the domains on your account, but Cloudflare does not guarantee this, so the correct order is

  1. Add the site to Cloudflare
  2. Change the nameservers
2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.