Zone deleted from IP Address 127.0.0.1 without any users logging in


#1

We recently noticed that one of the sites we manage was down, and when I looked for it, it was no longer in CloudFlare’s dashboard.

Looking in the audit log, audit record 143320f2-d63a-50c2-8b20-925cb4f80193 shows that the zone was purged, but there’s no record of the user in question logging in, and the IP address listed is 127.0.0.1.

We don’t use the API or anything, so there isn’t really another way for anyone to edit anything.

Was CloudFlare compromised or glitched somehow?

I’m also wondering if there’s a way to recover that domain from before this deletion.


#2

The only way I’ve seen a zone get auto-deleted is if it’s not using the Cloudflare name servers assigned to it.

I’m sure Support has more insight into why it was deleted: login to Cloudflare and then contact Cloudflare Support.


#3

We just had this exact same issue. Our client called saying their website and email were not working. Further investigation revealed that the Cloudflare zone was gone. Audit log says:

Date:
2018-08-20 11:26:15 (EDT)

User IP Address:
127.0.0.1

Resource:
Zone

Audit Record:
8e59f3a4-f158-5ed7-af8e-5ad93abd7f65

Metadata:
{ "Zone name": "inventorymp.com" }

The name servers were properly pointing to CF.

This is very disturbing!

Any advice on how we can prevent this in the future would be greatly appreciated.

-Ken


#4

I submitted this issue to CF support. I received a response saying my issue was resolved with no other explanation. When trying to view the support incident linked in the email I just get a 404 error. It appears that they deleted my support ticket.

I understand this is a “free” service that we pay for with our data, but a little transparency as to what causes this issue would be nice. This incident has definitely left a bad taste.


#5

You emailed support from an account not associated with the domain in question so the query was automatically closed as we can’t share information about a zone with anyone but the zone owner. You can resubmit your request from the UI logged in as the account or from the email address associated with the zone.


#6

Thank you very much for the response. I will resubmit the request. It would have saved us both some time if the reason the request was closed was in the email notice.


#7

When checking for whether or not an account is associated with a domain, do you check past history? Just seems like that could be a potential issue in this case, since the problem is that the domain has been removed from the account.


#8

Thanks, @danny.c.eck - The issue @cscharff was highlighting is that I emailed their support from an email address other than the one associated with my CF account. I’ve since resent my request from the correct address but haven’t heard back yet.


#9

After a response from CloudFlare support and a bit of digging, we now know what happened.

Back on July 24th, the nameservers for the domain were briefly pointed away from Cloudflare’s nameservers. Cloudflare notified us that the nameservers had been changed. It further stated that in order for the account to remain active we needed to change the nameservers back to Cloudflare and go to the dashboard and click the “Recheck Nameservers” button.

We changed the nameservers back but didn’t click the button in the dashboard.

In the end, the fault lies with us not following all the instructions. With that said, it would have been nice if Cloudflare had rechecked the nameservers on its own before deleting the zone or sent a second warning message.

At least we now know what to do if this issue comes up again.


#10

Ah, interesting, we actually likely had something similar come up, since I know that a credit card for renewing one of our domains had expired.

I agree that it’d be nice if it just did one last check before doing the deletion.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.