-2

While doing penetration testing for a client I stumbled upon a security incident. CloudFlare promises to hide the origin IP address when using its DNS.

I went to dnsdumpster.com, inputted my client's domain and there I found my client's ORIGIN IP ADDRESS, which should've been hidden. In CloudFlare DNS the corresponding records are all proxied.

How is this a thing?

Isn't that exactly what CloudFlare should be protecting against?

Anyone can lookup this IP and DDoS it directly while ignoring the CloudFlare network.

P.S MX, SPF, A records on a subdomain pointing to another IP for a mail server is setup and that IP is visible (as it should be).

Improve this question
4
  • Does that tool show historical/previous IP addresses? If so you'd need to register a brand new DNS domain name to prevent that.
    – user
    Commented Oct 2, 2019 at 18:31
  • Check the dns records to see if the domain retains any current mapping to that IP. Perhaps for a subdomain. This is most likely not a cloudflare issue, but some residue from old dns records. It will be considered a cloudflare bug if you can obtain the ip from cloudflare endpoints or dns records.
    – hax
    Commented Oct 2, 2019 at 18:33
  • @user this tool in particular does not have this function AFAIK.
    – Sir Muffington
    Commented Oct 2, 2019 at 18:41
  • @hax the DNS records are set correctly and the relevant records are proxied to hide the origin IP.
    – Sir Muffington
    Commented Oct 2, 2019 at 18:51

2 Answers 2

Reset to default
2

Isn't that exactly what CloudFlare be protecting against?

Nope. CloudFlare be promising that anyone accessing your site through CloudFlare will not find out your backend IP address in the process. E.g., there's no X-Origin-IP header or the like leaking your IP out.

CloudFlare be not responsible for whatever other methods people might have. If you put it in DNS in an obvious way, or take out a page in the Times to advertise the IP, then it's findable.

Improve this answer
6
  • "CloudFlare be promising that anyone accessing your site through CloudFlare will not find out your backend IP address in the process." But that's exactly what is getting leaked, try it out for yourself. No DNS records are set that are not going thru the CloudFlare CDN.
    – Sir Muffington
    Commented Oct 2, 2019 at 18:39
  • Except one e-mail server, but it points towards another IP address than the main web server.
    – Sir Muffington
    Commented Oct 2, 2019 at 18:44
  • @SirMuffington Again, that's a separate channel. If you choose to put your origin servers in DNS, then they're published. CloudFlare isn't responsible for your choice in populating DNS. Browsers of your site still won't get that IP through the browsing process, which is what is promised.
    – gowenfawr
    Commented Oct 2, 2019 at 18:46
  • Please refer to the updated question. I've proxied those records.
    – Sir Muffington
    Commented Oct 2, 2019 at 18:49
  • 2
    @SirMuffington: Unfortunately you don't provide enough information to reproduce the issue. But as gowenfar correctly said Cloudflare does not promise to hide your IP completely, it makes only sure that direct DNS lookup will return the IP of Cloudflare instead. It will for example not be able to unpublish information which were available in the past, i.e. historic DNS entries. But as the FAQ for dnsdumster make clear it collects information from various sources (and likely also historic records).
    – Steffen Ullrich
    Commented Oct 2, 2019 at 19:44
1

This is called a "CloudFlare resolver", no It's basically just a scanner/discovery tool that searches for subdomains linked to the main domain that are not protected by Cloudflare and therefore not listed, this way it is possible to hurt the real IP address by disclosing the real IP address by finding a vulnerable subdomain.

https://www.hackingtutorials.org/wp-content/uploads/2015/06/Websploit-Cloudflare-Resolver-Module-Tutorial-3.jpg

Improve this answer
3
  • So this Metasploit module is able to find every single subdomain used with CloudFlare proxy with their corresponding IP addresses? :O How does it work?
    – Sir Muffington
    Commented Oct 2, 2019 at 19:09
  • @SirMuffington Theoretically yes
    – tungsten
    Commented Oct 2, 2019 at 19:10
  • 1
    Let me guess it uses wordlists and/or brute force?
    – Sir Muffington
    Commented Oct 2, 2019 at 19:17

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .