Who keeps deleting my DNS records?

I setup three new DNS records, well one of just updating an existing TXT (SPF) record

it was fine.

Next day they get deleted.

I dont delete them and no one else has access to this account,

In audit logs it says the records were deleted. And that the User was API…

So these records were deleted by some bot? or API?

But how?

Is it because ive given admin access to my cloudflare dns records to another third party software? if yes where do I find and if appropriate remove connection?

Only one I can think of is Ezoic

Check the audit log. That should show who removes these entries.

Either someone has your password and does this via the web UI or - more likely - some automated script has your API key (or an API token) and uses it to change your records via the API. In that case you should either refresh your API key or revoke (or roll) that API token.

When you integrated Ezoic they created an API token with which they manage your DNS records. If this was not what you intended you should delete the API token

2 Likes

What so someone else decided this was my solution for me?

That doesnt answer the question, you basically have just stated i do what i said i have already done.

How do i know who has access to my API?

There should be like a list of third parties who have bee allowed API access, where can I see this?

That is what I addressed already

You should reset the credentials used in this context and that will be most likely that API token. Seemingly your host automatically created that and you will need to revoke that if you don’t want them to modify your records.

Remove the API token in question and you should be good to go.

So reset my cloudflare login details?

So there is no way to actually find out or see a list of third parties who have been given API access?

Not your login details, only the API relevant credentials. That change was made via the API.

There is no list of third parties having access, but your host seemingly got access when you started that integration. If you remove (or roll) that token you should be good.

So i need to go to ezoic and revoke permission/integration on their end?

That is just assuming that it is ezoic…it might not be, thats why i think (like the audit) cloudflare should keep a log of associated/intergrated third parties.

No, you should revoke/roll the token on Cloudflare’s side in the dashboard.

Of course you can also make changes on your host’s side but that depends on whether they support it.

Cloudflare cannot have a list on who has access to your account and whom you provided with that access. For that you need to consult the audit log.

how do you do this

https://dash.cloudflare.com/profile/api-tokens

It just says “No API tokens”

Then that access will have been via the global key and you should have that reissued. Same page.

ok thanks

I have an IP for the Rec Del in the audit log
3.82.19.*

That’s an Amazon address. That could be your host but you should clarify it with them. If it is not them someone else got access.

thats weird my site is hosted with godaddy

That doesn’t mean it is hosted by Amazon, just that whatever service accessed your site runs off an Amazon server. You really best clarify this with your host and make sure in the meantime that key is changed.

ok ive decided to first remove the ezoic-cloudflare integration and see if it makes a difference
if not then i will chagne the global key

thanks

I’d still change the global key in any case. You only need to make sure services which you still want to access your account get the new key.

2 Likes