Use my usual nameservers instead of newly assigned ones
I recently purchased a new domain and thought it was a good idea to set my CF nameservers before adding the domain to Cloudflare.
But apparently if you do so, a new pair of nameservers will be assigned to the domain to prevent hijacking.
https://developers.cloudflare.com/dns/zone-setups/reference/nameserver-assignment/
I tried resetting the nameservers on my registrar and deleting/re-adding it to Cloudflare, but it still offers the new pair. Is there any way to use the original pair?
Thanks
Cloudflare Docs
Nameserver assignment | Cloudflare DNS docs
When you add a domain on a primary (full) or secondary DNS setup, Cloudflare automatically assigns your nameservers. You should then add the assigned nameservers to your registrar and, once Cloudflare can detect they have been placed, your zone is activated.
20 Replies
IIRC you may have to give it a week to purge the old zone data
I.e., delete the Zone on CF, wait a week, then try again
nice, thank you. is the week just an approximate estimation? do you know the exact zone data retention?
I believe it is a week, let me check
After a zone is deleted for seven days, it will be purged. Cloudflare does not respond to DNS queries for purged zones and, unlike deleted zones, this status cannot be reverted. In this case, even if you re-add the domain to the same Cloudflare account, none of the zone settings are expected to be restored.- Zone Status | DNS
Cloudflare Docs
Zone status | Cloudflare DNS docs
Review information on the different statuses that your zone can have after you add your website or application to Cloudflare.
awesome, so it's 7 days, thank you so much!
I waited 8 days, re-added the domain and it still had the secondary nameservers 😭
you can't just add the nameservers that CF gives you as the nameservers in the registrar DNS settings?
I would like to use the same nameservers for all the domains in my account, as I have it as a preset on my registrar. It just feels unnecessary to have to use an extra pair of nameservers just because of one mistake done during config
That won’t work, it’s a security feature to prevent hijacking. That domain will never get those nameservers again, and if you don’t set those Cloudflare will assume you don’t control it and it won’t activate the domain. You might not even get the same nameservers for any other domain now.
are you sure? multiple people in this server said you eventually get the original pair after some time. and the article linked above says a zone will be purged after 7 days
A zone will be purged, sure, but the pair might be rotated for the whole account. I am, nor most people here, not privy to all security measures implemented by Cloudflare
And did you remove the Cloudflare nameservers from the registrar while the zone was purged?
yes i did, i reset the domain nameservers and waited a week, but nothing changed
i wish we could get a reply from Cloudflare about this because there is no clear answer on the subject anywhere
It’s Trust&Safety’s department here, they won’t reply and won’t budge. But is it really that much of an issue to have a different pair of nameservers, which you set once and then forget?
i mean it's not a big deal, but still annoying. just because it's a minor inconvenience doesn't necessarily mean everyone should settle for it and not question it.
i just wanted to know if there is a solution, if Cloudflare confirmed the nameservers will forever be different for that domain or for my whole account it would be fine, but instead no one knows what's really going on lol
nameservers wont change after a zone is activated, theyll forever be "different" for that domain
the nameservers you need to set are dynamically selected at zone creation, most of the time these are the same but they arent always as you discovered
whether the "default" for your account has changed, nobody knows, because there are several security systems working in the background to prevent domain takeovers that will adjust nameservers whenever needed
the best course of action is to
* never preset your nameservers at the registrar, nor presume that they will be something specific until you create the zone
* always set the nameservers you are told to set, when youre told to set them
* dont worry about them changing after youve activated the zone, they wont
The reply above this is the best summary of what’s going on… it’s not questioned as it’s a way to avoid abuse. If the other account the domain belonged to had the same pair and you maliciously set the same nameservers and tried to take it over?
I had to learn that the hard way too. Just set the ones it gives you when you add it. Annoying or not, it just has to be done.
I don't understand however, how keeping the same NS allows takeovers.
Since a huge number of domains and thus nameservers point to Cloudflare and you necessarily can add domains to Cloudflare DNS before you actually transfer them, this creates a window for takeover attempts if those nameservers would always be the same.
Or did I miss something fundamental?
You have
apple.ns.cloudflare.com and orange.ns.cloudflare.com as nameservers set for example.com, I have the same set in my account (the actual pairs are usually people names, and there are thousands of combinations, by now). I go to my dashboard and say, "you know what? example.com belongs to me now". I add it, the nameservers match, the configuration is now in my account.
You could then do the same to me, or use the DNS control to then maybe take control of e-mail and then the registrar, meaning I have full control of your domain.
I then move to another account with a different pair and... done.Yes, when you preset nameservers back before this change you were vulnerable to the (remote, but still there) chance of someone yanking your domain before you can add it to cloudflare yourself
its just, in general, not a good idea to set any domain to a nameserver pair you were not explicitly told to set
Makes sense. Thank you