Serious Cloudflare bug exposed a potpourri of secret customer data

Jimmy Hess mysidia at
Fri Mar 3 00:35:11 UTC 2017

On Thu, Mar 2, 2017 at 5:15 PM, Matt Palmer <mpalmer at> wrote:
> On Sat, Feb 25, 2017 at 07:21:48AM +0000, Mike Goodwin wrote:
>> Useful information on potentially compromised sites due to this:
> "This list contains all domains that use Cloudflare DNS"

> That's only marginally more useful than saying "any domain matching /^.*$/";

Iirc;  It's quite easy to use the Proxy service without the DNS
service, as long as
you are using a Paid  CF account for the domain and not a free account.

Also;  Querying after the fact is not very scientific,  Because there
may be domains
that _Were_  using  CF  proxy service  During the incident  which no longer use
CF DNS or Proxy servers,  for whatever reason.

If you're going to scrape DNS records to decide,  should probably be
scraping A records for www,
and then checking Reverse DNS or matching against possible CF IP
addresses,   not  NS records.

> - Matt

More information about the NANOG mailing list