Website pointed to Cloudflare DNS Servers without our permission

Our company’s website is apparently pointing to a Cloudflare DNS server. We are not current clients of Cloudflare however. We have spoken with everyone we know of who has ever had access to our cpanel (4 people total), and none of them have Cloudflare accounts or pointed our website to a Cloudflare DNS server. We have no idea how this configuration occurred.

This is causing some big problems for us, as we cannot verify our domain ownership through Google (we can of course verify the domain ownership by demonstrating receipts – we’ve had this domain since 2011, and it is purchased through Network Solutions and currently hosted on Host Gator). Domain verification is required to access some third-party apps such as Microsoft PowerBI.

If we redirect to a new name server without first acquiring the zone file, our developer says we have potential downtime that could run into the days. But the company is a nonprofit that serves over a million people each year. A lengthy downtime like that would result in hundreds or thousands of people in need of help running into just a broken link.

I’m so frustrated at the moment I barely have words… I’ve spent hours trying to contact Cloudflare and cannot. They don’t accept phone calls from anyone but paid enterprise customers, and any email I submit is rejected since I am not a current customer. And yet the whole issue is that I am not a customer!

If anyone has suggestions, it would be greatly appreciated.

Welcome to the Cloudflare Community.

I understand your exasperation with the situation. I suspect that you can recognize why Cloudflare cannot share any account information with anyone other than the Cloudflare account holder, regardless of who the domain registrant is. I don’t mean to diminish or invalidate your frustration, but I am not going to dwell on that aspect as it doesn’t help you reach a solution.

Your developer is correct to urge caution when moving DNS hosting. That doesn’t make it an unobtainable objective. It is actually the option that will get you the fastest results. With thorough preparation a skilled hostmaster should be able to create a new zone file that contains the relevant records.

To prevent a similar occurrence in the future, maintaining a copy of your zone file outside of your nameservers is simple and effective. It also is an easy way to incorporate version control into your practices.

You mentioned that you spoke with the parties who had cPanel access. If you are interested in identifying who made the change, you will want to review who has registrar access through your Network Solutions account. It might be a good time for credential rotation on all related accounts, and for the platforms that support multiple users, I would abandon shared credentials entirely.

1 Like

My greatest frustration isn’t that Cloudflare won’t release the information - it’s that we cannot even contact them to ask them to release the information.

To the best of our knowledge, the account was redirected without our authorization by someone who does not work for our company and was not granted access to our servers. I’m hesitant to call it a “hack” because it’s hard to see what the purpose of said hack would be - but at the same time, this seems to meet the definition of the hack. Someone with a Cloudflare account redirected our website to Cloudflare’s DNS servers through their account without our authority, and we have no way to contact Cloudflare or address it whatsoever. There are some massive ethical issues there, which to be honest feel quite violating,

With that said, I appreciate the feedback and suggestions! Unfortunately in this case that is a really bad result for us. Our developer has indicated that we are likely to experience days or possibly longer of downtime, as there is no way to know what changes were made to the zone file that is located in Cloudflare’s servers, and reconstructing it will be somewhat of a fishing expedition.

We may have to go this route if we cannot contact Cloudflare somehow, but it will be extremely disruptive to the organization and - far worse - it takes information essential to the public health offline for thousands of people that we serve for an unknown amount of time.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.