When adding a new domain, don't query DNS if nameservers are already set to cloudflare's

Usually when registering a new domain, I immediately set the nameservers to the Cloudflare nameservers since having any others isn’t of any use to me in that case.

In this particular case I think it would be best if Cloudflare could simply detect that the domain is already using Cloudflare nameservers and skip the DNS query.

Additionally the screen that asks me to change the nameservers should also be skipped if they are already Cloudflare’s

Hi @mkg20001,

It is strongly recommended that you do not change the nameservers to point to Cloudflare until you have already gone through the setup process as it can result in someone else taking control of your domain if you point it to a service you don’t manage.

1 Like

Please be more specific. Do you mean “someone who also happens to have been assigned these two nameservers for their account”? Really, how high is the probability. Someone would have to be 1) aware of the existence of the domain 2) aware of the fact that the nameservers are equal and 3) aware of the fact that it isn’t already added to Cloudflare
Actually pulling that off would require not only knowledge of the domain but multiple sockpuppet-accounts to get one for every nameserver combination. Then, and only then I think it would be feasible.

I only mention it because we have had a few reported cases of it actually happening.

For better or worse the the onboarding of a new zone requires a customer to demonstrate positive control of a zone. For a full setup that means changing the zone from a set of nameservers which aren’t Cloudflare to a pair which are. I suppose we could do a better job here of assigning a random nameserver pair when a pair is already specified as being on Cloudflare, but it would still be the changing of the nameservers from something they were to something they now are.

1 Like

How about giving every customer a unique pair that CNAMEs to the “actual” NS pair? I think that sounds reasonable. Or if it doesn’t: make more combinations. Make some random names that just cname to existing name servers so the chance of getting a new pair is so low that it actually isn’t an issue anymore?

Sounds reasonable?

Update: Did the maths

(1÷100)^2 = 0,0001 or 0,01%
1÷0,0001 = 10000 accounts

So with 100 nameservers one would need 10000 Accounts to get the same pair if my calculations are correct (please recheck, not quite confident, I think I messed up at the “second nameserver can’t be the first one as the first nameserver” condition, still result is huge enough)

If Cloudflare were to use 100 nameservers (or domains which CNAME to a lower total nameserver count, because it’s about a unique sub-domain not unique record-value) the proposed method would be safe and the suggested improvments could be added

If the nameserver count currently is lower, everyone could simply be assigned new ones and the old ones could be kept in the DB and be valid for domains that were registered before the migration, so newer ones couldn’t be overtaken/registered with old pairs.

I assume that 100 different NS domains aren’t that much for a company as big as Cloudflare. Could also be more if paranoid level of security is wanted :wink:

(Note that by domains I always mean namservers sub-domains such as betty.ns.Cloudflare.com)

Since I don’t have the total number of NS domains currently I can only guess. But based on @domjh’s comment it’s lower

Would increase security for a relativly low price to pay and would make my life a ton easier (let’s focus on the security aspect)

Note that I didn’t study Cloudflare’s internals so I can only guess, maybe I’m wrong here

You may want to read @matteo’s post on security and domain hijacking:

There are over 2,500 unique nameserver combinations, I think that the only way they could completely rule this out would be to check if nameservers are already pointing to Cloudflare and choose a different pair.

Although I can’t find the thread now, there was a discussion before that all Cloudflare’s nameservers respond to queries for a domain so any domain that is pointing to Cloudflare without being in an account may be able to be hijacked without having the same nameserver pair, hence my first recommendation never to point the nameservers to CF before adding to an account… Still searching for the thread I am looking for…

Isn’t that sort of a flaw in the system? I think it’s better to only propagate the zones to the nameservers that are actually responsible. And if that isn’t possible because the nameservers use anycast/multicast or because DNS switching should be seamless then a flag could be set somewhere whether the domain name is confirmed (Cloudflare has seen the right nameservers) so that the namservers check that the right NS is set on every query. That of course has it’s limitations since that would mean checking the whois very often. But I think best would be to make only the DNS servers in the pair respond to the querys.

I do see where you are coming from on that. You may also want to have a look at this discussion Cloudflare Bug - My blog got redirected to this illegal site - #11 by OliverGrant where it is discussed more. Again, I don’t really think it is that much of an issue as long as people follow the correct procedure, add their do,main to their Cloudflare account and then change the nameservers to point there. I will leave it for others to jump in here if they want :slight_smile: