cloudflare privacy and you

the problem with using cloudflare for multiple domains

published Tue Sep 10 2024 00:00:00 GMT+0000 (Coordinated Universal Time)

tags:

cloudflare,

privacy,

dns


privacy concerns

Cloudflare assignes every account 2 nameservers. At the time of writing cloudflare operates 900 nameservers with unique names which gives us 404550 unique combinations. Domains having the same nameservers doesn't mean that the domains are managed by the the same account, but it can be used along with other data to find sites that are managed by the same party.

finding domains with matching nameservers

finding the nameservers the domain uses

Checking the nameservers a domain uses is really simple and can be accomplished with nslookup. For example running nslookup -q=ns eelis.dev returns:

eelis.dev	nameserver = jaziel.ns.cloudflare.com
eelis.dev	nameserver = stevie.ns.cloudflare.com

fetching matching name servers from an api

There are multiple services that allow you to do this but I'm using whoisxmlapi.com as an example because it has a free trial that doesn't require a credit card. I am in no way affiliated with the service nor do I endorse it.

The following bash script uses the whoisxmlapi to find domains that share nameservers.
NOTE: This script doesn't take paganation into account since the list of domains is usually quite short and one page contains 200 results.

#!/bin/bash

# check that jq is installed since it doesn't ship with standard utilities
if ! jq --version 2>&1 1>/dev/null; then
	echo "jq not found"
	exit 1
fi

# get input nameservers as arguments
NS1=$1
NS2=$2
# ADD YOUR API KEY HERE
API_KEY=""
API_URL="https://reverse-whois.whoisxmlapi.com/api/v2"
# set QUERY variable
read -r -d '' QUERY << EOF
{
	"apiKey":"$API_KEY",
	"searchType":"current",
	"mode":"purchase",
	"advancedSearchTerms":[
		{
			"field":"NameServers",
			"term":"$NS1"
		},
		{
			"field":"NameServers",
			"term":"$NS2"
		}
	]
}
EOF

data=$(curl --header "Content-Type: application/json" \
  --request POST \
  --data "$QUERY" \
  "$API_URL"
)

# the api responds with an object that contains the http response code
responseCode=$(echo "$data" | jq '.code')
echo "$responseCode"
if [[ "$responseCode" != "null" && "$responseCode" != "200" ]]; then
	echo "$data" | jq
else
	echo "$data" | jq -r '.domainsList[]'
fi

making connections

At the time of writing the following domains share the same nameservers. The list is most likely incomplete since the no domain database has 100% coverage.

NOTE: I HAVE NOT VETTED THE DOMAINS VISIT AT YOUR OWN RISK

143designz.com
aspectsbespoke.co.uk
aspectsbespoke.com
atra.cfd
atramobaile.ir
atramobaile1.ir
attitudesupplements.com
balkantal.com
bicycletubesdk.com
bmxvente.com
chachacha-lease.co.kr
clotya.in
cosverichore.cf
cyclesdenmark.com
cyclingpantsnl.com
deepwatercreature.com
deepwatercreature.dev
deepwatrcreatur.pro
firstcapital.in
gt-tradecar.com
hacknow.info
hi-flower.co.kr
hsssanstha.org
hypersensitivitybxx.ml
jayabaa.com
jblues.in
k-export.com
kb-rent-car.com
kernel-mirrors.cfd
kriptoguvenlik.com
laundryfirst.in
lighlilachar.cf
matchpredicts.com
miprestigio.co
mobilier-leblanc.fr
moddb2.shop
moddb3.shop
moddb4.shop
moddb24.shop
moddb25.shop
moddb26.shop
moddb27.shop
moddb29.shop
moddb30.shop
mopebeldimi.cf
mtbboutique.com
naotaka.net
nutricrush.in
one-trade.co.kr
prestigiodigital.co
quidichansotipi.ga
rent-official.co.kr
rutuparna.com
sereuxa.pics
serrsfz.pics
solarblackenergy.com
the-lease.co.kr
torontobusstops.ca
warriorsgravity.in
warriorsgravity.net
wedcomocibo.cf
yanginihbarsistemleri.com
zudavi.com

38 of 62 have A records

So out of curiosity I looked into the sites and found further connections quite easily.

From the domain names alone some guesses can be made.
For example moddb2.shop, moddb24.shop, moddb25.shop, moddb26.shop, moddb27.shop, moddb29.shop, moddb3.shop, moddb30.shop, and moddb4.shop are most likely linked to the same account. The domains don't currently point to a website and only have empty A records. Moddb is a modding related site that doesn't sell anything to my knowledge.

jayabaa.com, jblues.in, hi-flower.co.kr, kb-rent-car.com, kernel-mirrors.cfd, torontobusstops.ca, yanginihbarsistemleri.com, serrsfz.pics, and clotya.in time out or return a cloudflare error page.

cyclesdenmark.com, cyclingpantsnl.com, bicycletubesdk.com, and mtbboutique.com look very similar, use wordpress, and share the same js tracking client.
cyclesdenmark.com, and cyclingpantsnl.com list 2 different addresses in the netherlands on their websites while bicycletubesdk.com on the other hand has an address in denmark. mtbboutique.com is yet another bicyle shop this time in france.

deepwatercreature.com, deepwatercreature.dev, and deepwatrcreatur.pro seem like someone's personal domains but they have empty A records.

aspectsbespoke.co.uk and aspectsbespoke.com point to a fitted furniture store in the UK.

atramobaile.ir amusingly shows the apache 2 default page. My first thought was that this is used for domain squatting or phishing but I can't any proof of that.

bmxvente.com returns the default nginx error page.

chachacha-lease.co.kr seems to be a korean car leasing company.
k-export.com is a korean car exporting company.
one-trade.co.kr is yet another korean car related business.
rent-official.co.kr is a korean car rental site with very similar design as the other korean car related business sites.
the-lease.co.kr is a korean car leasing company.

firstcapital.in is a Sri Lankan investment bank.

gt-tradecar.com points to a french ip but the site doesn't load.

hacknow.info points to an example blog. I wonder what it's actually used for.

hsssanstha.org is a religious charity(?) organization.

kriptoguvenlik.com is a turkish fire suppression/alarm system seller.

miprestigio.co is a login page for prestigiodigital.co services.
prestigiodigital.co is a digital marketing agency(?). All the text on the site is very corporate so it's very likely a b2b company.
"We define the Digital OMET of your brand and the action plan that includes a creative commitment to social networks, website, online service protocols for your clients, validation of action logistics and legal protocol, content marketing production, editorial design and the production of valuable content (blogs, specialized articles and audiovisuals for the web)."

Machine translated from the original text "Definimos el OMET Digital de tu marca y el plan de acción que incluye una apuesta creativa en redes sociales, página web, protocolos de atención online para tus clientes, validación de logística de acción y protocolo jurídico, la producción de content marketing, el diseño editorial y la producción de contenido de valor (blogs, artículos especializados y audiovisuales para la web).".

nutricrush.in seems like a raw food supplement manufacturer.
their site states "The want & need to be healthy with the first step in the simplest way. NutriCrush Healthy Lifestyle is an evolving company, a start up with an ambition to eliminate unhealthy/refined/pasteurized/ adulterated foods that meet our daily needs."
eliminating pasteurized foods I'll just leave it at that...

solarblackenergy.com is a solar panel and battery seller in new mexico.

warriorsgravity.in, and warriorsgravity.net both return forbidden access but a youtube channel and other social media with the same name exist. It seems to be a rise and grind type thing.
attitudesupplements.com also returns a forbidden access page. It might be affiliated with warriorsgravity since both use hostinger and have the x-turbo-charged-by: LiteSpeed header.

zudavi.com is a property selling/buying/renting company operating in Bangkok.