Wrong NS and DNS entries for a domain

Hi there,

We just encountered a weird situation with one of our domain in Cloudflare. We purchased the domain aghamw dot com a few months ago (not with cloudflare - another company) and set up the nameservers to be our usual cloudflare nameserver. We did not create the account in cloudflare at the same time that we got the domain (and did not add any DNS yet) - we planned on doing a few weeks later as this project was on pause for now. We were finally ready to go ahed with this project so today we created the account on Cloudflare. We noticed that Cloudflare could retreive some DNS entries for that particular domain (?? there were 0 DNS entries normally) and that this domain directed to a hacked website in thai (or something like that). We deleted the DNS entries that Cloudflare was able to retreive. To finalize the account creation, Cloudflare asks us to change the current NS (which are the good ones - our NS that we use for all of our accounts) to other unknown Cloudflare NS (not ours - these NS seems to redirect the domain to the hacked site). This is the first time we encounter this, we really don’t understand what’s happening!!

Has any of you encountered the same problem? If anyone has any insights that would be greatly appreciated!

Many thanks.

While Cloudflare nameserver pairs may be (re)used for multiple domains in an account they are not exclusive to a specific account, nor are they static.

What happened was someone at your organization pointed a domain to a service it didn’t have management authorization for and a malicious actor was able to exploit this security failure.

By adding the domain to your own account with the provided nameservers, the domain will become active under a zone you manage and you can configure the DNS entries to point wherever you choose.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.