This post covers the basic security questions that users may have on adding a domain.
Cloudflare has many security mechanisms in place in order to prevent domain hijacking.
We spent an afternoon generating a list of one hundred common 2- to 4-letter names, like Bob and Lola. We then used them to create the domain names we handed out at signup. Initially there were 50 boys names and 50 girls names. Everyone who signs up gets one of each, allowing for 2,500 unique combinations.
[Editor’s note] There is a cool story about the 51st male name I’ll add to the count later (Woz), read the source for it.
— What’s the story behind the names of Cloudflare’s nameservers?
For every domain Cloudflare assigns a unique combination of their nameservers. Basically each account (and by default all of it’s domains) are given a male and a female pair of the of 51 male and 50 female nameservers (there a total of 50*51 = 2550 combinations). This paradigm changes in case of multiple registrations, let’s go step-by-step in the case the domain is already added (the actual activation of it is relatively unimportant as the steps don’t change):
- Someone adds the domain to a Cloudflare’s account.
- The domain receives a pair of nameservers. This pair by default is the one of the account owner, but if the pair is the same as the account where the domain had been already added this pair is switched. There is also a limit on the number of registrations (way lower, orders of magnitude lower, than the number of combinations) in total a domain may be added after which support need to intervene to allow an addition to take place.
- Cloudflare systems will check with the current registrar what nameservers have been added there.
- The account whose nameserver pair coincide with the registrar’s will get authoritative control of the domain.
Cloudflare will usually reply to DNS queries corresponding to the first account which adds the domain or the current active account’s until the registrar’s nameservers change. The solution in this case would be to contact support and ask for help demonstrating ownership of the domain by other means to prevent possible disruptions during the transfer. The reason for this is:
In conclusion there are only two ways to hijack a domain:
- get access to your Cloudflare’s account, but this is not really a Cloudflare security issue as they would need your username and password (hopefully as long as possible, the longer the better). The best option would be to have also 2FA active which only helps.
- take control of the domain via the registrar (if using Cloudflare’s Registrar this merges with the first option), accessing the account there (same rules apply as before) or forgetting to renew the domain.
The TL;DR here is that there are no possible ways to take control of your domain (given standard procedures are done before expiry dates and basic security is used with the accounts).