Privacy Concern Regarding Cloudflare's Nameserver Pairing Policy

I believe there’s a real privacy concern regarding the method Cloudflare utilizes in assigning a pair of nameservers to specific accounts. Cloudflare generally will assign the same two nameservers to all domains in the same Cloudflare account. (I know that there are a limited number of exceptions.) As I understand (and correct me if this figure is mistaken), Cloudflare has about 900 different named nameservers. Therefore, the likelihood of any specific two nameservers being assigned to a domain (and therefore an account) is less than one in over 400,000.

The net result of the above facts means that there is very little overlap between different Cloudflare customers using the same pair of nameservers.

Producing a list of domain names using a specified nameserver isn’t rocket science. Many gTLD, ccTLD and other domain name registries and registrars have WHOIS databases publicly available that can provide that information. Others may have disabled this function, but historically it was a feature of the WHOIS system. There are also private services available on the internet that can locate domain names using nameservers as well as other search criteria desired to produce a matching list of domains. Many of these charge a nominal fee to use while others may offer limited search functionality at no charge. These include both currently active domain name registrations as well as historical information on domains that have since been depreciated, deleted, transferred and/or sold. Much of it is based on historical WHOIS database information that the private providers obtained in the past years and decades.

Using the above resources it wouldn’t be very difficult to produce a list of domains that match a specific set of Cloudflare nameserver pairs. Both current and historical. Given that there isn’t a lot of overlap between Cloudflare customers using the same set of two nameservers, it would make it relatively easy for someone conducting the above research to make pretty good assumptions regarding the common ownership or administration of sets of domain names, both current and historical, belonging to (or having belonged to) a Cloudflare customer. Especially if the researcher already started with a basis to suspect or assume a common ownership or administration between sets of different domain names.

The issue I’m describing here is unique to Cloudflare due to its rather unusual policy of pairing nameservers to specific customers. The majority of other DNS providers share the same set of DNS servers across their customer base.

Considering that many domain name owners specifically utilize a privacy service when registering their domains, likely desiring that their cross-ownership of other domain names shouldn’t be publicly tied to a common owner, this nameserver pairing policy could, unbeknownst to the domain owners, reveal information they assumed to be private. Additionally, due to the time before the ubiquity of privacy services on the WHOIS system, many old publicly available ownership and contact information on domains that are currently private in WHOIS, are nevertheless available in numerous databases available on the internet that can, essentially, be accessed by anyone so desiring. At one time in the not distant past many or most TLDs didn’t permit WHOIS ownership and contact information to be made private, requiring that they be publicly available via WHOIS. In fact, even today some TLDs still have this policy, including the .US ccTLD for the United States. The meaning of all this is if the researcher can find even one domain name, either current or historical, unmasked from any privacy with its full ownership information, he can immediately extrapolate that information to apply to all other domains that at any point used the same set of Cloudflare nameservers, even if all those other domains were set to mask their ownership information in WHOIS from the very beginning of their domain registration.

I hope by sharing my above analysis it will spur consideration if the current Cloudflare nameserver pairing policy is in the best interest of the community. If I made an error in any of the above facts, assumptions or inferences, I happily stand to be corrected.

2 Likes

@epic.network Thank you for sharing that article. I had read it before writing my OP above, but it has nothing to do with the points I made regarding the privacy implications of this practice.

While your observation is occasionally made, far more users appear to complain here when they get allocated a different pair of nameservers than they usually have. I would guess that any policy change on this, one that’s existed since Cloudflare began, to randomise nameservers for every domain in an account could upset a lot of users.

If exposure of data in WHOIS being linked to another domain is a concern, you can put the domain in a separate Cloudflare account instead.

I would suggest that most users are likely not cognizant of the point, and implications, I made in the OP. Thus they don’t know though to complain. But if they ever contemplate the mathematical facts herein, they may be unhappy.

Others, as you suggest, may not care that anyone can figure out their full portfolio of domain names.

What I’m sure of is that, assuming the implications I’m pointing out are indeed correct, many fine folks wouldn’t be happy once they realize.

I’m wondering if a Cloudflare client is concerned regarding the aforementioned privacy concern, if he could effectively force Cloudflare to issue a different set of two nameservers for any given domain by simply, either, a) removing the domain from Cloudflare and then re-adding the same domain back to Cloudflare or b) at the domain registrar setting the two nameservers to the pair of nameservers Cloudflare usually assigns to his Cloudflare account before adding the domain to his Cloudflare account, thereby causing Cloudflare to issue a different set of nameservers for that domain.

Would either of the above two approaches cause a different pair of Cloudflare nameservers, than what are usually assigned in his account, to be assigned to that domain?

If one of the two (or both) possibilities suggested in the last post do what is described, it can be helpful for those with this particular privacy concern. Does anyone know if either, or both, would work as intended?

Removing and readding within 7 days will just revive the deleted zone with the same configuration and nameservers so that won’t work unless you wait after removing it.

If you preset the nameservers before the first time you add the domain then yes you will get a random pair that time and this can be “abused” as a workaround to force random pairs for zones. The downside is that domain resolution probably won’t work for some of that time so I’d only recommend trying it on a totally new domain.

It’s also worth noting the account nameservers would be public temporarily while you perform this so it depends whether that’s caught by whatever scanners in that time.

1 Like

“The downside is that domain resolution probably won’t work for some of that time so I’d only recommend trying it on a totally new domain.”

It should only be a matter of seconds that you might lose resolution, even with a pre-existing domain. When you’re ready to move it from your current non-CF DNS to CF, first change the nameservers at your registrar to the CF nameservers you don’t want to use (that CF typically assigns to your account), then immediately afterwards add the domain to your CF account. Then, when CF tells you which two nameservers to use for that domain (which, presumably, will not be the usual two your account uses since CF will see those are the preexisting nameservers), change it to those two CF nameservers at your registrar.

1 Like

I’ve got $2000000. Do I bet on :heart: or :black_heart: at those odds? Please tell met it is :black_heart: because I always bet on black. If anonymity of your goal there are services that provide that at a fee commensurate with the payment provided.

You have just described a domain takeover scenario. :clap: Subscribe to a Cloudflare enterprise account for more control of you have actual concerns about privacy.

“If anonymity of your goal there are services that provide that at a fee commensurate with the payment provided.”

If I’m not mistaken, the vast majority of DNS providers (other than Cloudflare), including free services, use the same set of nameservers across their entire customer base; rather than set of unique set for each customer. Therefore, the privacy concern expressed herein this thread in the OP above, would not exist or be of any concern regarding privacy with non-CF DNS providers. (If I’m mistaken on this point, please correct.)

“You have just described a domain takeover scenario.”

I’m not understanding this point of yours.

Yep.

You are.

unique set for each customer

They don’t.

The OP is you. So that is a reeeeealy long way to say you. And you are wrong. So :tada:.

:logo: has a bug bounty program. If you can demonstrate a vulnerability based on your observations, submit a report and profit.