I believe there’s a real privacy concern regarding the method Cloudflare utilizes in assigning a pair of nameservers to specific accounts. Cloudflare generally will assign the same two nameservers to all domains in the same Cloudflare account. (I know that there are a limited number of exceptions.) As I understand (and correct me if this figure is mistaken), Cloudflare has about 900 different named nameservers. Therefore, the likelihood of any specific two nameservers being assigned to a domain (and therefore an account) is less than one in over 400,000.
The net result of the above facts means that there is very little overlap between different Cloudflare customers using the same pair of nameservers.
Producing a list of domain names using a specified nameserver isn’t rocket science. Many gTLD, ccTLD and other domain name registries and registrars have WHOIS databases publicly available that can provide that information. Others may have disabled this function, but historically it was a feature of the WHOIS system. There are also private services available on the internet that can locate domain names using nameservers as well as other search criteria desired to produce a matching list of domains. Many of these charge a nominal fee to use while others may offer limited search functionality at no charge. These include both currently active domain name registrations as well as historical information on domains that have since been depreciated, deleted, transferred and/or sold. Much of it is based on historical WHOIS database information that the private providers obtained in the past years and decades.
Using the above resources it wouldn’t be very difficult to produce a list of domains that match a specific set of Cloudflare nameserver pairs. Both current and historical. Given that there isn’t a lot of overlap between Cloudflare customers using the same set of two nameservers, it would make it relatively easy for someone conducting the above research to make pretty good assumptions regarding the common ownership or administration of sets of domain names, both current and historical, belonging to (or having belonged to) a Cloudflare customer. Especially if the researcher already started with a basis to suspect or assume a common ownership or administration between sets of different domain names.
The issue I’m describing here is unique to Cloudflare due to its rather unusual policy of pairing nameservers to specific customers. The majority of other DNS providers share the same set of DNS servers across their customer base.
Considering that many domain name owners specifically utilize a privacy service when registering their domains, likely desiring that their cross-ownership of other domain names shouldn’t be publicly tied to a common owner, this nameserver pairing policy could, unbeknownst to the domain owners, reveal information they assumed to be private. Additionally, due to the time before the ubiquity of privacy services on the WHOIS system, many old publicly available ownership and contact information on domains that are currently private in WHOIS, are nevertheless available in numerous databases available on the internet that can, essentially, be accessed by anyone so desiring. At one time in the not distant past many or most TLDs didn’t permit WHOIS ownership and contact information to be made private, requiring that they be publicly available via WHOIS. In fact, even today some TLDs still have this policy, including the .US ccTLD for the United States. The meaning of all this is if the researcher can find even one domain name, either current or historical, unmasked from any privacy with its full ownership information, he can immediately extrapolate that information to apply to all other domains that at any point used the same set of Cloudflare nameservers, even if all those other domains were set to mask their ownership information in WHOIS from the very beginning of their domain registration.
I hope by sharing my above analysis it will spur consideration if the current Cloudflare nameserver pairing policy is in the best interest of the community. If I made an error in any of the above facts, assumptions or inferences, I happily stand to be corrected.