Unauthorized DNS Takeover with Cloudflare?


#1

Hello!
I was just playing around with Cloudflare thinking that it could be a great idea to transfer the DNS & Registrar for my customers to Cloudflare. So I created an account and put the domain name for one of my customer’s in the “Add Site”. After selecting the free plan, I was shocked to see that the DNS zone for my customer came up on my screen and I could actually edit A records. I was even more horrified that when I did a “nslookup candy.ns.cloudflare.com” I could see the changed record.
Holy mackerel! What’s keeping a hacker from doing the same thing for my customers’ DNS when there is no proof of ownership required? Granted when I do a “nslookup 1.1.1.1” I get the original record and not my changed A record. But even so - seeing the entire DNS zone for a domain that you don’t own seems like a huge security risk.
Can someone explain what is going on? I can’t say that I am too thrilled to move customer’s DNS until I get a good explanation of what is going on…
Thanks! Dave


#2

What you are seeing is normal and expected behavior. When you add a domain to Cloudflare, on any plan, Cloudflare will scan the ~2000 most common records to pre-populate your records and help you get started (you will still need to add other records, since not all are added most times unless you have a very basic setup) and all the IPs shown are publicly available by simply querying normally.

The main misconception here is that when you lookup using Cloudflare’s Name Servers (e.g. candy.ns.cloudflare.com) they will reply, but they actually need to reply to those queries. They won’t reply to anyone using the web normally as the authoritative name servers for the domain are not Cloudflare’s (you demonstrated the same thing in your own post).

When you’ll switch name servers at the Registrar then they will become authoritative and you will demonstrate your ownership. At this point if Cloudflare weren’t already replying you would have a loss of service and your domain wouldn’t work until Cloudflare could see the change and start responding.

I will also this tutorial I wrote that can help on some more advanced questions. Will probably write one on this topic as well.


#3

Matteo,

Thanks for your reply! I think that I understand everything that you are saying. However my question is what happens if Internet hosts are using candy.ns.cloudflare.com? Then those hosts would be getting the “forged” DNS and not the authorized DNS. I suppose that since candy.ns.cloudflare.com isn’t a recursive resolver no host is probably pointing it’s DNS there.

I guess that makes sense. And it was helpful that you explained how CloudFlare “guesses” DNS hosts for it’s lookup - it’s not really reading the DNS zone.

Thanks! That makes me feel better… :slight_smile:

Dave


#4

It wouldn’t work, it doesn’t resolve websites outside those hosted by Cloudflare. Google wouldn’t work for example.

If the other authoritative name servers support ANY queries you could theoretically do accomplish that task much easier, but no. Also all info is public already, hiding things only through obscurity isn’t really best practice.