Serious Cloudflare bug exposed a potpourri of secret customer data
mysidia at gmail.com
Fri Mar 3 00:35:11 UTC 2017
On Thu, Mar 2, 2017 at 5:15 PM, Matt Palmer <mpalmer at hezmatt.org> wrote:
> On Sat, Feb 25, 2017 at 07:21:48AM +0000, Mike Goodwin wrote:
>> Useful information on potentially compromised sites due to this:
> "This list contains all domains that use Cloudflare DNS"
> That's only marginally more useful than saying "any domain matching /^.*$/";
Iirc; It's quite easy to use the Proxy service without the DNS
service, as long as
you are using a Paid CF account for the domain and not a free account.
Also; Querying after the fact is not very scientific, Because there
may be domains
that _Were_ using CF proxy service During the incident which no longer use
CF DNS or Proxy servers, for whatever reason.
If you're going to scrape DNS records to decide, should probably be
scraping A records for www,
and then checking Reverse DNS or matching against possible CF IP
addresses, not NS records.
> - Matt
More information about the NANOG