You can take over any domain if it has the same NS


You didnt “come hard”, you were rude und impolite.

  • that is your opinion.

I dont think this will be the case.

  • based on what exactly you know that someone is actually looking at this? you are mostly calling me a lier here, so please stop. I have the evidence that this happened.

This is the community forum and thats why I suggested half a dozen of times to contact support and wait what they say. You apparently eventually did this. When did you contact them and on what plan are you?

  • I did contact support. And I got half canned response. Nothing indicates that anybody has taken this seriously. id is 1575396 and account in question is on the free plan.

@sandro What exactly you propose I do? I have an angry, now former, client that had his domain redirected to another IP. NS was not changed. The domain was removed from his account. Nobody else accessed this account. I had to re-add the domain. I have provided all the information I had here and in a support ticket.

If this was my mistake CF should provide logs of what I did. But no response from them. I am sure that there are logs of all domain ownership changes inside CF network. Let see that. Let see who initiated domain removal from the account…


No, thats a fact. Do you want me to quote you?

Excuse me? Nowhere did I ever call you a liar. I said your constant rehashing slowly turned into bashing and asked you to contact support which you only did with quite a delay.

I already assumed that, the question was when and you did not answer that.

I already explained that several times, feel free to go back in the thread and recheck.

Once you have got feedback and actionable information we can continue this discussion.


Lets take a look at the email i got after re-adding the domain.

You can see that NS are the same. In what scenario is this possible?
How could I add a domain that I already have?
This is the evidence that the domain was not on the account and that in fact somebody else had it and took it because NS are the same. Same way I was able to re-add it.


@sandro You know what, I don’t really care what you think. I am not wrong just because you say so. And I do not care if I hurt your feelings by being rude and impolite. Crucify me for that if that what you’re into.

There is a really big security issue going on and something must be done about that. NOBODY can tell me that this did not happen. It seems that everything else is more important. I will not post here anything but facts that I get from the support if they ever reply something remotely relevant.


Can you please check if domain has been expired and renewed over that period.


That is obvious. You generally seem to be a very nice fellow.

I never said anything remotely like that.

That is obvious at this point too.

You are obviously not willing to cooperate to address that issue, otherwise you’d have responded to the questions you were asked and provided feedback. All you do is rehash over and over again. That is point- and useless.


I have already provided all the facts, here and to the support:

  • Domain is not even close to expire
  • No change took place @ registrar
  • NS for the domain were never changed

@Xaq Check the pic, you can see that NS were the same at the time of re-add


No, you provided your point of view, which could be easily wrong.

You were asked dozens of times to contact support and post their conclusion here. You didnt do either.


I did contact support and I did provided facts. Also I posted a picture of an email that you seem not to see. If you are so eager to respond how about responding to that? Or maybe you want to say that I fabricated this picture and that I made up this? What is your goal here? If you cant help then don’t, stop acting like there is some fragile community that needs rescuing from big bad wolves like me that dont use proper language while writing.

There is nothing to post from the support other than semi-canned response about how CF system is working. @Xaq asked something and I replied.


For the third or fourth time, when?

That borders paranoia. You put words in my mouth, accuse me of things I have never said or done, and generally make one incorrect statement after the other.

This thread is pointless at this point and apart from making wild accusations you do not show any behaviour that would assist in rectifying a potential problem. The thread will reopen in 48 hours, considering you did contact support I presume you will have a response/statement by then, so post their conclusions once we have actionable information.



In the 9th post, @lupetalo posted the ticket #. As none of the active participants have access to Cloudflare records to see what happened, this thread should remain closed until the Support ticket is resolved.


A detailed reply has been provided on the ticket. In cases like this the typical scenario is that there is an issue at the registrar that causes them to respond with non Cloudflare nameservers. Typically relating to a domain renewal, but not always. Once our system detects the move it begins a process to delete the domain. If the issue is resolved and nameservers are pointing to Cloudflare again, but the site owner doesn’t let us know to recheck, the domain will still get deleted. At that point, another user could attempt to add the domain.

In short, anyone can attempt to add a domain that is already on Cloudflare, but they won’t be able to successfully redirect traffic without the domain first being removed from the original account.



If the another user adds the domain he/she needs to have the same NS servers that are already set for domain. If NS servers are assigned randomly then lot of attempts are needed to get the desired NS records. CF can detect such a brute-force attack easily. Is this the scenario or CF always generate same NS records for domain regardless of user?


Based on my experience It’s the reverse: All domains of mine are on the same two nameservers, but when I try to add one to a second account I receive two nameservers unique to that account and its other domains. I imagine there is a failsafe system in place when two accounts have the same NS pair and request the same domain for Cloudflare, which was likely addressed in the ticket.


@ryan mentioned earlier

The system also checks to make sure that the nameserver pair on the new account doesn’t match that on the existing.

I’d say this pretty much clarifies the situation.


But now there is no existing one. System has deleted user records since domain doesn’t point to CF (i.g. coz of expiration). Then the question is when nobody has domian in his acc and domain points to CF NS servers (after domain renewal for example) does CF take care of not to assign same NS servers to new added domain? Afterall someone is adding domain in his acc while domain already points to CF NS servers and a new random pair should be generated.


Someone must have been quick to point that domain to some other site. Without having more forensic data, it’s difficult to guess. Something would have to happen at the registrar to get that domain to point somewhere else.

Still…I suspect there was a lapse in service somewhere that created this opening for someone to swoop in and re-point the domain.


Ticket is resolved. So here is what happened exactly:

  • The domain did expire, and it was not pointing to CF NS for a brief period of time. That triggered Zone Delete after 7 days. On our part we did not noticed an email about this.
    But, even if we did, we would have done nothing, NS was returned and the domain was under our account, pointed where we wanted. Everything working at that point.
  • After 21 days CF initiated Purge, and the domain was deleted from the account. At that point domain was still pointing to CF NS but there was no active DNS records. Not sure how someone abused this or some other DNS related stuff happened so domain started to point to some other IP.

From a user standpoint it is clear how this could have lead to the image of stolen domain. The system is not perfect and it can be improved.
Nobody expects that if you drop CF NS for a short period of time (ie domain expired and all is done by registrar) that you need to recheck the zone manually. Client can be totally blind about this, he pays for expired domain and all is back to normal. Nothing happens after 7 days as email states, but 21 days… Client will forgot about that for sure…
Emails can be overlooked, and maybe it is best to notify user more than once. Also when the zone is triggered it is more likely that a user will look for a CF email.
Domain should not be at free fall after it is deleted from a CF. This is the most important thing. Maybe some “Inactive domain” page can be shown. This can be done if the domain is pointing to a CF NS but does not belong to any account. Not sure, but at that point it might be open for misuse. If the domain is pointing to some other website first reaction of any user will be the same as mine.