Unique nameserver combinations per site?

I need to migrate around 50 sites over to Cloudflare Pro. But I don’t want them all using the exact nameservers. Am I forced to create 50 different accounts so this doesn’t happen?

Why don’t you want them to all use the same nameservers?

For example jean.ns.Cloudflare.com has roughly 46,345 domains.
TLS Certificate shows less domains.

1 Like

@Judge @adaptive Because as far as I know, my domains are the only ones with the unique combination of the 2 nameservers my account is assigned. No other domain has those mixed. So you’d be able to identify all sites from those two. Is this wrong?

There are a limited amount of nameservers, so there’s probably a few dozen or a few hundred other accounts with the same combination of nameservers as you.

Note that when Universal SSL is issued, it will combine the other domains on your account into the certificate which is probably an easier “domain discovery” method compared to NS checking. For example, my website https://judge2020.com shows the SAN of many other websites on my account:

DNS Name=Cloudflaretools.com
DNS Name=code.bet
DNS Name=corporateclash.company
DNS Name=evilsite.cf
DNS Name=judge.sh
DNS Name=judge2020.com
DNS Name=judge2020.me

In general, I think domain discovery probably shouldn’t be something to consider. Websites on the internet shouldn’t rely on obscurity as their security and should make sure that their web applications are secure by default.

3 Likes

I’d prefer competitors not know exactly what we’re up to. It’s not really about security.

in that case only way with Cloudflare is have separate cf accounts unfortuantely

Gotchya. Little more effort then, no biggy.

Appreciate your guys help.

:thought_balloon: If you are moving 50 domains to Cloudflare Pro, perhaps you should contact Sales and see if they can propose something on the Enterprise plan with custom nameservers.

One method would be to register cf accounts first and grab all their CF API key credentials and programatically add domains to each cf account via CF API similar to https://support.cloudflare.com/hc/en-us/articles/360000841472

you may not need 50 cf accounts if you group similar/like domains to each cf accounts i.e. 2 domains per account would mean only 25 cf accounts are needed or 5 domains per account = only 10 cf accounts needed.

You could do one account and then buy dedicated certificates. They are not shared certs, so no SANs.

There are 2550 combinations of nameservers, so it’s thousands upon thousands of domains per combination.

seems even with dedicated ssl certs, the sni* version of Cloudflare multi domain SAN is generated (probably for non-SNI supported client access backwards compatible ?) according my search from certificate transparency logs - so folks who know how to search and uncover such would be able to do so still if the domains are on same Cloudflare account.

You can still disable Unibersal SSL… You add a domain, disable Universal SSL, add another and repeat.

1 Like

Yeah true… but past ssl certificate transparency logs will also be searchable as you can’t (ideally wouldn’t want to) disable Universal SSL until after you purchase a dedicated SSL cert. So the history is already logged and searchable for anyone who wants to/knows how to.

Yeah, but you can disable SSL even before switching nameservers (which prevents the ordering of certs, especially if you add the domains as free which take a few hours, but isn’t actually needed), then buy the cert before turning proxying on.

1 Like

Yeah true… such steps would definitely need to be documentated in Cloudflare KB article database for a privacy first Cloudflare setup guide :slight_smile:

@cloonan @cs-cf :slight_smile:

It should theoretically work, if I consider everything… This is all without the need for multiple accounts which is a pain. You could theoretically add yourself as a member, but still 50+ accounts is a mess.

1 Like

But there is a time delay between when you initial setup Cloudflare account with Flexible SSL/universal SSL enabled by default, until you disable Universal SSL. Wonder if during that time, the multi-domain SAN Universal SSL certificate is already making it’s way into Certificate Transparency logs ?

Doubt that, they can’t even verify you are actually the owner of the domain. You need to disable it before switching nameservers.

1 Like

Ah yes :slight_smile:

Gives me a few ideas for initial setup API commands for a privacy first CF initial domain setup :slight_smile:

1 Like