
Cloudflare silently deleted my DNS records - iudqnolq
https://txti.es/cloudflare-deleted-my-dns
======
jgrahamc
This is being looked into internally and I am involved. Likely won’t post an
update here as it pertains to a customer account (unless customer agrees).

BTW If you, dear reader, ever find yourself so frustrated with Cloudflare that
you feel like your only recourse is a blog post... my email is
jgc@cloudflare.com and I’m happy to hear from people.

~~~
andrewstuart
I've put this idea forward a number of times here on HN in regards to other
big tech companies.

Technology companies need an "ombudsman" \- a contact that customers can go to
when the normal tech support processes have failed.

The Ombudsman must _not_ be part of the technology companies ordinary support
processes, it must be entirely separate, and have highest level authority to
demand action within the company.

To avoid the Ombudsman being overused, you could give it a price of say $20,
which is always refunded when the case is resolved.

HN constantly has front page posts from people for whom big tech companies
have support processes have failed but there is simply no other recourse
unless you have "a friend in the business".

It just doesn't work to have some random Cloudflare person offer their email
address as some post disaster issue resolution process on social media.
Formalise it with an official Ombudsman and maybe then companies like
Cloudflare might avoid HN front page bad publicity.

I had an issue at "one of the biggest tech companies" that went on for days
and days in which tech support kept telling me I had set up something wrong,
until eventually I emailed one of the top managers who I happen to "know" at
that company - it was fixed within hours. That "contact a friend in the
business who can actually get things done" is a necessary part of a large
support organisation and it simply does not exist yet in any tech company that
I know of.

~~~
awill
This is a really great idea, but I don't think it's possible for this to not
get overused for every little issue. Once it's overused, it becomes useless.

~~~
CamelCaseName
I like the setup my bank's Ombudsman has -- you must first take your issue to
first level support, then escalate it with them if not resolved. If the second
level of support denies you, then and only then can you reach out to the
Ombudsman.

Any requests that haven't gone through the proper process get auto-rejected.

~~~
lubujackson
That is the logical way for things to work, but it requires first level tech
support letting you escalate, which is not always the case with non-bank
industries.

The current go-to move is to tweet a complaint at the company's Twitter
account. This is surprisingly effective across multiple industries and
actually was something my wife did that helped resolve a time-sensitive AirBnB
issue.

------
Mojah
Occasions are rare where I get to say "hey, I built a thing that might help
here!" \- so forgive me as I take this opportunity with both hands.

Whether this was a bug or a rare protective mechanisme, there will be times
when your DNS provider makes a mistake and removes records. You mentioned in
your post your DNS isn't hard to reproduce, but how certain are you that _all_
records are restored? How long do you have to fight DNS issues before it's OK?

I built DNS Spy [1] for this exact occasion. It monitors your DNS for any
changes made, keeps a version of all DNS records (current & former) and allows
you to restore/download a BIND9 zone file for your zone. You can easily import
this into any commercial DNS provider or in your own BIND9/PowerDNS setup.

I would love to hear feedback on how DNS Spy could be improved when DNS
disasters like these occur!

[1] [https://dnsspy.io/](https://dnsspy.io/)

~~~
iudqnolq
(OP here). That looks really useful. If I was running a real service I would
definitely look into it. Because this is just the personal website and email
of a college student I don't think I could justify the expense when using
something like Uptime Robot to monitor if a single record points to a web
server would probably give me close to the same reliability.

~~~
Mojah
Oh I absolutely agree!

If you're a business, whether it's a SaaS or "just" a marketing website for
your brick & mortar store, I think it's crucial to have back-ups. Most people
think of backups as files, database dumps, previous versions, etc of their
website. But the configuration data (in the form of DNS) isn't often
considered.

You're tech-savvy and can restore your DNS records because you know yoru
servers' IP address and your MX records, but who else could do the same?

------
ocdtrekkie
There's a number of Cloudflare folks who are HN regulars, so hopefully you'll
get some answers. Hopefully it's something they can reverse.

But as a general reminder to everyone (I think this is an unfortunately common
problem from a number of companies): If this is how your company handles
account issues, you're probably wrong. Whether it's automated or manual, a
user should be able to access all of their own information even when you
decide to no longer provide them service. And you should test and retest the
ability for people who you now deny service to transfer out.

------
paulfurley
FWIW I recently evaluated a few DNS companies after Namecheap ballsed up our
MX records in a similar way.

I actively looked for someone we could pay money to, so we are their customer
(as opposed to being a free tier user, effectively a cost)

The winner was DNSimple[1], who do exactly 1 thing, and they do it extremely
well. And they are small enough to not take themselves too seriously[2], which
I really appreciate.

Oh and their normal support channel is email, and everyone in the company
takes a turn. I tested out their support before signing up and quickly heard
back from a competent engineer, so they passed that test too.

[1] [https://dnsimple.com](https://dnsimple.com) [2]
[https://dnsimple.com/dnsound](https://dnsimple.com/dnsound) <— bonkers

~~~
iudqnolq
Thank you. Looks like I'll just have to pay more. Any recommendations for a
registrar?

~~~
PopeDotNinja
Hurricane Electric has a pretty solid free DNS offering. I've been using it
for like 10 years.

[https://dns.he.net/](https://dns.he.net/)

I haven't needed to talk to them much, but one time I tried to add a .ninja
domain, and there backend wouldn't handle it. I emailed them to report the
problem at 4:49 p.m. I got an email at 7:09 p.m. the same day (2 hours 20
minutes later later) asking me to try adding it again. [1] When a free service
fixes your problem in a few hours, they get +1 gold star from me.

[1] I just checked my email to look up the actual times. This was on Mar 15,
2017.

~~~
jlgaddis
Also, HE DNS will "secondary" from your own server.

For example, you can run your own DNS server on a VPS or something, and HE
will AXFR the zones from your VPS and serve them authoritatively.

This allows you to run a hidden master, for example, which I can imagine some
HN folks being interested in.

~~~
alwillis
Doing exactly this with HE. Running Knot DNS [1] on Digital Ocean.

[1]: [https://www.knot-dns.cz/](https://www.knot-dns.cz/)

------
RcouF1uZ4gsC
Be wary of being part of something that is a cost center for the company
instead of a profit center.

CloudFlare is selling domains at cost. That means they are not making any
money from being a domain registrar, which means they will do everything to
keep the cost of doing it as low possible to themselves. This means lack of
customer service and use of ML dragnets for "anomalous" behavior.

~~~
owenmarshall
.com has a price floor of $7.85. Most registrars seem to target anywhere from
the $9.99 - $14.99 range for registration because, as far as I can tell, there
is no real differentiation outside of price.

Sure, I could spend $lots to get a dedicated account rep from MarkMonitor or
CSC but that's not really feasible for my personal site.

Are there really any registrars that hit a reasonable price point for
individuals and offer service beyond bargain basement? Because if so I'm doing
some transfers this weekend.

~~~
randomdude402
Namesilo has been a great, cheap registrar for me for many years and has
always had privacy included for free.

I tried several of the lower price registrar's back in the day, and they all
sucked in their own way, despite me not needed anything except the thing to
just stay registered.

One or two would change the price of their domain privacy, most renew the
privacy for like 3 dollars and then send you the renewal email that your
domain needs to be renewed, one of them used to charge me separately like 80
cents from some weird Canadian shell company...

I actually have a domain still with probably the biggest "cheap" provider, and
they now have a thing where you are supposed to keep a deposit in your account
to cover automatic renewals. Just charge my damn credit card guys, please.

So I'm saying namesilo all the way. Only one that hasn't ever pulled any
shenanigans on me.

------
throwawaydns101
DNS has become frighteningly unreliable. Here are previous stories that show
how it is possible to lose access to your domain for no fault of yours:

(1)
[https://news.ycombinator.com/item?id=21700139](https://news.ycombinator.com/item?id=21700139)
\- Sinkholed

(2)
[https://news.ycombinator.com/item?id=19322966](https://news.ycombinator.com/item?id=19322966)
\- I lost my domain and everything that goes with it

No different than this story where the author's DNS records were deleted
because of so called "anomaly".

Here are so many more stories:
[https://news.ycombinator.com/item?id=21710939](https://news.ycombinator.com/item?id=21710939)

DNS was a good idea but now there are organizations that have the power to
arbitrarily take control and even remove your domain names and records. We
really need to come up with a peer-to-peer solution and take back control of
the naming system from these authorities.

~~~
Legogris
I looked into self-hosting DNS and it doesn't seem like that big of a deal as
long as you can ensure uptime to be honest. If you set up the two first on
different hosts and possibly have #3/4 being cloud providers I think you're
pretty good.

Does anyone here have experience with running their own DNS servers for their
domains?

~~~
cnst
You don't even need multiple servers (especially if both your website and mail
run on the same server), it's a misconception debunked by the author of
djbdns:

[http://cr.yp.to/djbdns/third-party.html](http://cr.yp.to/djbdns/third-
party.html)

~~~
Dylan16807
That talks about whether you have servers on multiple _networks_. If it
debunks the idea that you should have at least two _servers_ I can't find
where.

~~~
cnst
Well, maybe because DJB takes it for granted that you don't actually need two
servers in the first place, so, there's not much to debunk?

    
    
        % dig ns yp.to +short
        uz5jmyqz3gz2bhnuzg0rr0cml9u8pntyhn2jhtqn04yt3sm5h235c1.yp.to.
        %
    
    

If your provider requires more than one server, just make something up, within
reason, of course:

    
    
      % dig @tonic.to yp.to ns 
      …
      ;; AUTHORITY SECTION:
      yp.to.   86400 IN NS uz5jmyqz3gz2bhnuzg0rr0cml9u8pntyhn2jhtqn04yt3sm5h235c1.ns.yp.to.
      yp.to.   86400 IN NS uz5jmyqz3gz2bhnuzg0rr0cml9u8pntyhn2jhtqn04yt3sm5h235c1.yp.to.
    
      ;; ADDITIONAL SECTION:
      uz5jmyqz3gz2bhnuzg0rr0cml9u8pntyhn2jhtqn04yt3sm5h235c1.yp.to. 86400 IN A 131.193.32.108
      uz5jmyqz3gz2bhnuzg0rr0cml9u8pntyhn2jhtqn04yt3sm5h235c1.ns.yp.to. 86400 IN A 131.193.32.109

~~~
Dylan16807
The question is whether you're violating the standard or doing something
unreasonable. Clearly DNS can't _prevent_ you from using one server, just like
it can't _prevent_ you from using one network you own.

------
Legogris
I had this exact thing happen to me as well, but wrote it off to having been
compromised (fortunately I was only using Cloudflare as secondary DNS servers
on a non-production account and am not using them as a registrar, so I only
noticed months after the fact). I think a major reason going with someone like
Cloudflare for DNS in the first place is reliability and availability and this
does not speak to that.

Zero communication in my case as well.

------
judge2020
Can't think of a reason this domain was touched (I don't work for CF) but I'd
recommend reading the threads related to this search:

[https://community.cloudflare.com/search?q=127.0.0.1%20audit](https://community.cloudflare.com/search?q=127.0.0.1%20audit)

Every related incident seems to be due to either nameservers
temporarily/incidentally chanced away from CF (and CF's service not re-
checking it perhaps) or the registration billing failing (which doesn't look
to be the case since registration expires 2021[0]). The latest change to the
domain was about a week ago[0], so if that was when it was transferred to CF,
it might be the first scenario.

> Because Cloudflare deleted my domain registration I can't change the status
> from clientTransferProhibited through their dashboard so I don't think I can
> even leave.

Unless something else happened, deleting the zone from your account doesn't
affect the registration. Re-adding the domain will instantly allow you to view
the registration info and likely transfer away; this would only not work if
the zone is banned for some reason.

0:
[https://who.is/whois/danielzfranklin.org](https://who.is/whois/danielzfranklin.org)

~~~
iudqnolq
OP here.

> Every related incident seems to be due to either nameservers
> temporarily/incidentally chanced away from CF (and CF's service not re-
> checking it perhaps) or the registration billing failing (which doesn't look
> to be the case since registration expires 2021[0]).

The changes a week ago involves adding and deleting TXT and A records only.
Cloudflare manages the nameservers I use as my registrar and I never changed
them from the default. I just confirmed all of that in the Cloudflare audit
log.

> Unless something else happened, deleting the zone from your account doesn't
> affect the registration. Re-adding the domain will instantly allow you to
> view the registration info and likely transfer away; this would only not
> work if the zone is banned for some reason.

Thank you so much! Trying that now.

~~~
mercora
i think the parent poster meant changes done by or for a registrar like shown
in whois. Zone changes wont show up there.

~~~
iudqnolq
Cloudflare is my register and manages my DNS. I would expect anything them to
log any significant changes to either in their audit log.

~~~
mercora
i think that it would be rather unusual to update timestamps in whois (which i
guessed the parent poster was referring to) based on updates to in-zone data.
A transfer would be an example of something that would change information in
whois and thus update the timestamp noted there for the latest update. it is
sometime possible to infer the date of the latest change of in-zone data
because the serial of the zone is often constructed by using a date and a
counter. But that is actually just convention and not reliable. Its also
unlikely the parent poster was referring to this.

~~~
iudqnolq
Huh. I definitely didn't make any such changes within the last two weeks.
Maybe the whois date got changed because of something opaque and internal to
Cloudflare?

~~~
mercora
yes that is most likely what happened. A change of the nameservers with
authority for your zone for example or updates of DNSEC keys would trigger
that too, i think. But most commonly it probably happens when the domain gets
a renewed registration period or the contact details for some person changed.

btw here are the dates referred in whois for your domain:

    
    
      Updated Date: 2020-02-24T20:32:34Z
      Creation Date: 2015-06-09T15:34:37Z
      Registry Expiry Date: 2021-06-09T15:34:37Z
    

looks like a change has been done even more recently.

~~~
iudqnolq
I believe the latest change happened afterwards when on judge2020's advice I
re-added the domain to cloudflare which I think triggered a NS change back to
them.

------
Paul-ish
> However, I'm unable to log in to their community forum. When I click the
> login button I'm redirected to my dashboard, and when I then click Support
> on the dashboard I'm redirected back to the forum without being logged in. I
> suppose it's possibly an issue with Firefox blocking cookies (although I
> disabled tracking prevention) so it's possible this part is partly a problem
> on my end.

I'm into issues like this more and more, where you run into some strange
behavior on a website and you wonder "How did this ever make it into
production?", then you open the website in Chrome and the flows work fine. I
worry that Firefox is becoming less and less viable.

~~~
mark_and_sweep
This is not Firefox becoming less and less viable. This is developers caring
less and less about supporting older browsers, less capable hardware and, I
guess, long-term maintenance in general.

Just had a similar case today: My Mom tried to order something online on her
old Android tablet - and it didn't work. She blamed the tablet for it, saying
"It's just too old, it doesn't work correctly anymore! I used to be able to
order stuff on this website". I had to explain to her that her tablet is still
working fine, it's just the website that is broken because it's not supporting
her device (or browser) anymore. Shockingly, she listed quite a few websites,
which she has used for years, which have stopped working for her in the past
few months and years; all of these she mentioned as evidence that the problem
must be her tablet - not the websites. When I opened two of the sites she
mentioned, I wasn't too surprised to find very shiny, very modern single-page
applications (with service workers registered and even WebAssembly used on one
of them)..

So when you are creating a modern web app, please don't just test in Chrome on
your new MacBook Pro. Think about your Mom. Ask yourself: "Is this still gonna
work on her crappy old device?"

~~~
SahAssar
Well, it's also a problem of device manufacturers dropping support for devices
too quickly. There are still android 4.1 devices sold on amazon, and you
really can't expect web developers to support that.

The manufacturer should be required to support it for the full lifetime of the
device. Especially since your mom uses it to order stuff, which usually
includes some pretty security sensitive information. I think you are putting
the burden on the wrong party.

~~~
mark_and_sweep
Well, I haven't analysed the exact technical reason for why submitting the
order failed. But I'm pretty certain that submitting a HTML form is a solved
problem in web development.. Or at least it should be. I haven't tried
submitting a form with an async fetch from a web worker that communicates with
a redux store implemented in WebAssembly yet (or whatever that web app is
doing..).

~~~
SahAssar
If the order site is just submitting an HTML form in the old way with
credentials stored in a cookie (also the old way) that would probably be open
to trivial CSRF attacks.

If it is somehow checking for support for SameSite, Secure, CSP or any of the
other mechanisms that have been implemented in the last years then it might
fail. Or they might be using mechanisms that work around the problem that
those three are supposed to help since they are not available in older
clients, but just don't have the resources to test the random android 4.12
version that you use. I think it should have a proper error message if that is
the case.

But I feel like you are pointing the finger in the wrong direction. I try to
build my apps without extraneous fads, but keeping a webapp secure (in other
words keeping up to date with the latest protections) does not mean
"submitting a form", and it does not mean letting any old client lacking the
required protections through.

It also does not mean doing "WASM compiled redux reducers in ES6 module
workers authenticating over JWT to send gRPC commands to a kafka broker
talking with ingressrouting over anycast and a internal service mesh with
mTLS3.9 auth using curve9999.9, token binding and Wireguard to secure internal
communications over a VPC-less multi-cloud k8s cluster that uses Multi-Raft,
Single-Paxos to have a single, distributed, disputably non-consistent CRDT-
consensus algo over blockchain RS-232".

So, yeah, I'm not for fads over usability in tech. But I'm also not for
supporting insecure clients just because the manufacturer of those clients
doesn't give a shit.

~~~
tedivm
CSRF doesn't require any javascript to defend against. Having a nonce inside
of the HTML resolves that completely. SameSite and Secure cookies also don't
require any javascript, just some extra HTTP headers. I don't think security
justifies this.

------
whatthesmack
This is frightening. I just started the process of moving all ~60 of my
domains from Amazon Registrar + Google Cloud DNS to Cloudflare, and will
definitely wait until somebody from Cloudflare chimes in here to clarify
what's going on.

~~~
Jerry2
> _moving all ~60 of my domains from Amazon Registrar + Google Cloud DNS to
> Cloudflare_

You're very brave considering that Cloudflare doesn't even have U2F yet Google
and Amazon do.

~~~
whatthesmack
Great point! And let's just say that the migration project is now on-hold :)

~~~
ocdtrekkie
Are you using physical U2F keys for your Google or Amazon accounts?

Cloudflare does support standard TOTP-based 2FA like most people use for
Amazon and Google. So whether or not the lack of U2F support should matter
depends on whether you actually use it elsewhere anyways.

------
isclever
My takeaway:

1\. Setup up monitoring on your critical domains. UptimeRobot and Hetrixtools
are good starters with generous free tier. You should know when your
website/email/dns isn't working.

2\. Don't tie your domain registration with your DNS provider. You lose
everything if something goes wrong with your account.

3\. Be able to jump ship easily, have backups of your zone, already know where
you will transfer to.

~~~
djsumdog
> UptimeRobot and Hetrixtools are good starters with generous free tier

Are there any open source status pages/monitor programs that have build-in
checks for HTTPS, DNS records (ipv4/6), arbitrary port checks, etc? I'd rather
just setup a status page/alert app on a $5 minimal DO/Vultr node and self-
host/support/contribute to a FOSS program than use a commercial provider.

~~~
falcolas
<opinion class="unpopular">

Nagios. Or its descendant with a better configuration language, Icinga2.
They're fairly easy to do a minimal install and configure in a container or on
a VM.

</opinion>

------
daenz
This happened to me with AWS somewhat recently[0], and I never found out
exactly what happened. I just chalk it up to some dev made a mistake and
didn't tell anyone. It's pretty alarming when things like this happen though.

0\.
[https://news.ycombinator.com/item?id=21326014](https://news.ycombinator.com/item?id=21326014)

~~~
jcrites
I've been involved in using Route 53 to manage thousands of DNS zones, and
haven't come across something like that. I'd recommend putting in a support
request via the account that was affected to ensure that it gets looked at.

If you haven't already, you might consider checking the CloudTrail logs for
the account in question to see if there were any API commands related to the
zone.

~~~
PetahNZ
Although not DNS related, I have had weird things happen on AWS, such as
spikes of 5xx errors reported from CloudFront which was backed by ELB/EB, but
the ELB is showing no errors. Even after contacting AWS support they couldn't
resolve it, said they required application logs, but there is no logs because
the requests never reached the application servers.

------
MrStonedOne
Edit: the dns record export/import functionality is hidden behind the advance
search drop down for some reason. Ignore this entire comment.

From reading the linked helpdoc, apparently your entire domain can get removed
from cloudflare if your register stops reporting cloudflare's servers for the
ns records.

The mere idea of having to re-enter all hundred or so of our dns records using
cloudflares 1.2 second delay at every step of the way add dns record interface
because namecheap bugged out for a few seconds is _horrifying_.

There is no way to export all of these, there is no way to import or mass add
and i don't think they can lean on the api to save them here.

Dns records are data, dns records are sometimes important unbacked up customer
data. Cloudflare does not offer a way for customers to back this data up, nor
a way to restore or recover from a backup but it acts very callous with this
data, deleting it in automated systems based on data from 3rd party providers.

Not a good look.

~~~
Hello71
I googled "cloudflare dns import" and "cloudflare dns export" and the first
result both times was an apparently official support article giving step-by-
step instructions on how to do so. I myself have used this function about six
years ago, so this is not new or untested functionality.

~~~
MrStonedOne
Never clicked that because i have no reason to look for a dns export/import
button in the advance search gui... hmm. good to know about, not sure why they
put it there.

------
fernandotakai
as much as i like cloudflare (and i like them a lot), it's kind of absurd that
this kind of thing can happen. a lot of red flags that, if true, would mean
that their infrastructure require a lot more care (127.0.0.1 as the source of
an audit event? no email when DNS records are deleted? no 1-to-1 message due
to this happening?).

~~~
thedanbob
I had an issue with them recently where a SRV record pointing to “.” (meaning
“service unavailable”) was being rewritten to the string “false”. It didn’t
take them too long to fix it, but it made me wonder how they managed to push a
bug like that to production without some sort of automated test catching it.

~~~
ocdtrekkie
IIRC, if you're on a free plan you get exposed to code changes a little faster
than their paying customers.

~~~
thedanbob
Which is fair, I'd rather be a guinea pig than look at ads in exchange for a
free service. I was just surprised that the thing they broke was as well
defined and testable as DNS validation.

------
hobofan
Had the same thing happen to me some years ago. Had a (not so important)
domain with Gandi, which pointed to the Cloudflare nameservers, and after some
time, the domain was gone from the CF dashboard together with all DNS entries.
The NS records were still pointing to CF and there also weren't any anomalies
with renewal of the domain.

I didn't give much thought to it, as I wasn't using CF for anything in
production at the time, but sad to see that it also seems to happen to other
people.

------
oefrha
Unrelated issue but sometimes Cloudflare docs/communications are not in sync
with their actual system which is immensely frustrating. I was bitten a few
times.

For instance, a while back I forgot to renew one of my side project domains so
it briefly expired for maybe a day or two. Got this email from Cloudflare
saying

> Your DNS records will be completely removed from our system in 7 days.

> ...

> Once you have completed this change, click the “Recheck Nameservers” button
> in your Cloudflare dashboard to ensure your domain stays active on
> Cloudflare.

I promptly renewed, except there's no "Recheck Nameservers" button anywhere,
and the dashboard still read "Moved" for maybe a day. Eventually the problem
was just gone, but the communication worried me that entire time.

(I do appreciate Cloudflare's service, though.)

~~~
outworlder
> Your DNS records will be completely removed from our system in 7 days.

This sounds like a plot of a japanese horror movie.

------
therealmarv
Also don't forget: Cloudflare breaks many second and third world countries'
Internet with their DNS captchas because they think the good guys live only in
first world countries (maybe look up the word discrimination in your
dictionary cloudflare) and force them to install extensions like PrivacyPass
because they think "we are so big and know what is right for the world".

~~~
input_sh
That's CDN captcha, not DNS. If you use Cloudflare solely as a DNS provider,
your users don't see the captcha. If you route your traffic through their
servers, then they do.

~~~
therealmarv
you're right, it's their CDN not their DNS. Nevertheless many site owners
choose Cloudflare (paid or not paid) and use Cloudflare's default settings and
maybe they also never check their sites from second or third world countries.
Result is that the Internet is utterly broken on many Cloudflare hosted sites
(and that's a lot of sites) outside of first world countries.

~~~
iudqnolq
OP here. You're right, and even in the US I still get endless CAPTCHAs because
I browse on Firefox on Linux with tracking prevention.

My website was down for yak shaving when this happened, but before then I had
DDOS protection turned off.

------
Karupan
Stories like these scare the hell out of me. What do you do if one of the big
internet corporation deletes some resource or account that is critical to your
business? What happens when support isn’t responsive and you don’t have
contacts in the company or your HN post doesn’t get visibility?

I get it - these are free services. You should factor that into every
decision. But the risk is real even if you pay for an account. I’ve been
slowly moving away from Gmail to a custom domain, but something like loosing
DNS records and not being able to restore them quickly is even worse.

Back up everything that can be backed up, don’t rely on a single provider and
always have a continuity plan!

------
rekabis
Cloudflare considered harmful:
[https://www.devever.net/~hl/cloudflare](https://www.devever.net/~hl/cloudflare)

------
johnmarcus
Cloudflare Entrprise sales pissed me off so much the last time I dealt with
them that I literally registered "cancelcloudflare.com/net/org". We didn't
want to renew there $25k enterprise support for a website that got 50 hits a
month. It was embarrassing (for Cloudflare) how incompetent their Enterise
Sales rep was. I would rather pay to host my own cache layer then ever have to
deal with them again, free or otherwise.

------
britmob
That is... quite scary. Why would you EVER have a way for auto deletion of
domains?

------
gist
> Does anyone know what might have caused Cloudflare to delete my domain? Any
> ideas for how I could transfer my domain away from Cloudflare sooner?

I don't get the point of 'shoot first ask questions later' type approach.
Obviously it would pay to get some kind of affirmative reply from Cloudflare
prior to a post which everyone here with incomplete information speculates and
wastes time on (like I am doing).

Also Cloudflare did not 'delete my (the) domain. It deleted the dns records.
There is a difference and no I am not being pedantic either. How would 'the
internet' know why this was done there could be any number of good or bad
reasons.

Lastly the domain is not expired and as such the registrar is required (per
ICANN) to supply an auth code so someone can transfer out. Or to allow the
customer to change the primary and secondary dns to another dns provider.
There is zero (legitimately) that allows cloudflare as either a dns provider
or a registrar to lock the domain up pretty much (other than for a legal court
order) just for some reason they might decide to do that.

~~~
iudqnolq
OP here.

> Also Cloudflare did not 'delete my (the) domain. It deleted the dns records.
> There is a difference and no I am not being pedantic either.

Thanks. You're absolutely right. I meant delete their record of the domain as
it shows up in the UI of their dashboard.

> How would 'the internet' know why this was done there could be any number of
> good or bad reasons.

For many reasons luckily HN isn't 'the internet'. I've already gotten some
good suggestions.

> Lastly the domain is not expired and as such the registrar is required (per
> ICANN) to supply an auth code so someone can transfer out. Or to allow the
> customer to change the primary and secondary dns to another dns provider.
> There is zero (legitimately) that allows cloudflare as either a dns provider
> or a registrar to lock the domain up pretty much (other than for a legal
> court order) just for some reason they might decide to do that.

I know. Again, I guess I was insufficiently specific. Cloudflare has warned me
to expect long wait times before I can talk to a customer support rep. My
question was if there's a way to transfer out without needing to wait on a
slow support loop.

------
dergachev
Out of this very fear, when Evolving Web started using CloudFlare for DNS, we
wrote this backup script that runs on cron and pushes our settings to a git
repo. [https://github.com/evolvingweb/cloudflare-dns-backup-
tool](https://github.com/evolvingweb/cloudflare-dns-backup-tool)

------
peter_d_sherman
We need a neutral, third-party service that monitors other service providers.
That is, checks periodically for such things as a host being reachable, DNS
working, certificates working, etc., which notifies both the service provider
company and the end-user when there is a discrepancy, but most importantly,
acts as a source of records in the case of a dispute -- in other words, they
hold a record of what the service should be and should do. That is, when the
service provider creates a service record, they would cryptographically sign
it, and forward it to this future third-party service. The same for deletions.

Now we can track, record, and audit that service provider's promises...

 _That way, the service provider can 't use an all-too-easy excuse like "we
can't find that record in our database -- so you must not have ever created
one..."_

------
errrmaybenot
Reminds me of Rackspace - clown IT overrpcied. They provisioned email
incorrectly and swore that once we changed nameservers to them it would work.
We pointed out it wouldn't using a few basic tools and asked for an
escalation, they refused and we were stuck with level 1 tech support. After a
few days I found someone on Twitter who esclated, they admitted they fucked it
up, but the damage was done, I was frustrated and called it day - I proceeded
to cancel, they then had to cheek to say "let's all be professional here"... I
can deal with occasional shit support but I can't deal with escalation
refusal, or endless cycles of support tennis or being redirected to irrelvant
knowledgebae articles.

------
dariusj18
Cloudflare once deleted one of my domains because the NS records were set in
the wrong order.

~~~
LinuxBender
What do you mean by wrong order? Do you mean the NS records in the zone file
were after a delegation / referral? What RFC was your zone breaking?

~~~
dariusj18
Ignore me, I just went to look again, and one of the NS records was
misspelled.

------
n0bel
We've just been dealing with this for my company as well. Cloudflare has
repeatedly deleted our DNS and cannot provide a reason why it happened. Last
time thousands of dollars of PPC Ads were running uselessly.

------
PovilasID
Had the same or very similar issue . My domain registrar dropped all name
server settings on an 'update'/whois update requirmet change Luckily I had an
old export of DNS records so most were there but not all the settings were
retained like DNS only or full proxy. Those were not mission critical, so not
that bad but I bet some emails went to the void because there was no real
warning from both my domain registration service provider and cf so I found it
very 'upsetting' (I was pissed on them both)

------
partiallypro
I've Cloudflare delete an entire zone before, and I could never get an answer
as to what happened. They said it was deleted because the NS were changed on
the domain...but they never were.

------
dvno42
Funny that this is coming up. I just transferred over from Namecheap to
Cloudflare a few days ago and had a similar issue. One of my A records (out of
about 20) were missing after the transfer.

~~~
iudqnolq
I noticed that if you don't unfocus the input field by focusing somewhere else
on the page it may not save. That may be what happened to you.

------
sgnls
Last week, I have had an issue where a number of domains were purged from the
2nd tier registrar (Claranet) with exactly the same symptoms (domains
suspended, zone-files blown away)... and Network Solutions are to blame.

An assumption of false-payment led to them suspending "300-500" accounts
(mostly UK based). I am still of the opinion something far more sinister is at
play... and this doesn't comfort me.

------
andreitp1
I had the same thing happen to me with the same domain - twice. It just
disappeared from Cloudflare without any notice. I run multiple domains on the
same CF account, yet this has only happened with that specific one, which uses
a somewhat unusual TLD (.do).

------
jermaustin1
same thing happened to me on GoDaddy for multiple domains when I got a call
from a client that their emails stopped working. All the zones were factory
reset, and no backup of the zones apparently existed at GoDaddy. I was on the
call with them for hours refusing to hang up until it was resolved or they
would lose the remainder of my business. After 2.5 hours of no valid reason
that multiple domains when back to default DNS values and no log of access to
my account for moths, I let them go.

That's when I moved the couple of handfuls of domains I had left at GoDaddy
over to Hover. It's more expensive, but the Hover interface is better, and I
trust Hover (Tucows) more (well, I trust GoDaddy less).

------
Jerry2
This is Google-tier lack of support and general 'customer' gaslighting.

------
johnklos
Is it really all that surprising when a big company that claims to be good but
hosts phishing content in the name of free speech does whatever they want,
including breaking things and not explaining why?

I don't trust Cloudflare one bit, and I think everyone should question whether
their attempt to re-centralize everything is beneficial to the planet.

There are two major problems here: one, the problem itself, which is the
deletion of DNS for apparently no good reason, and two, which is the bigger
problem, is that it's incredibly difficult to talk to a human about what
happened, so there's no assurance it won't happen again.

If people want things to be reliable, we've got to stop using companies with
which we cannot communicate.

~~~
ocdtrekkie
IMHO (and I know the parent post includes significant difficulties getting
back out of Cloudflare), services like Cloudflare may be crucial to
decentralization. I _can 't_ deal with something like my blog post being
frontpaged on HN if my website is hosted in my house, unless I have a good
CDN.

As a self-hosting enthusiast, something like Cloudflare is one of the best
chances of having a plan that competes with "just hosting it in the cloud".

~~~
johnklos
I hear you, but their DDoS services are painful to the rest of the world and
to people who want or need to use Tor, and others.

I'm talking about their rather political move to re-centralize DNS by
shoehorning themselves in to Firefox via DoH, for instance. Their
unwillingness to be transparent makes this all the more frightening. Add to
that their blatant desire to make money at the cost of doing the right thing
(and I'm talking about unambiguous things - is someone going to argue that
freedom of speech allows people run a phishing site of your bank?), and you've
got a scenario where once they reach critical mass, they will be exercising
their position to the detriment of everyone who isn't paying them, similarly
to how Gmail, through doing and not communicating, say "screw you" to many
small email services.

When people who don't use large providers have email issues with Gmail, lots
of people have knee-jerk reactions saying that everything should move to the
big providers, that people and small businesses should not host their own
email, and so on. This is NOT the way the Internet should work, and we should
never allow Gmail to just arbitrarily do whatever they want, then accept it as
the new normal.

If you have more than a dozen megabits of outgoing bandwidth, you can easily
host a blog from your home network which can handle a front paging here. Just
don't expect to dynamically generate a new copy of the site for every visitor,
and if your bandwidth is tight, then host your images on a static server off
of your network. Cloudflare is not necessary - perhaps it's easier, but it
isn't necessarily best to blindly trust a company that wants to become a
monopoly.

------
behringer
This is why you need name servers from 2 different companies and dns
monitoring. It doesn't matter who your provider is. Errors happen and waiting
half a week to fix it is insane.

------
thinkloop
> I registered for Cloudflare with a Gmail address specifically so that I
> could receive notifications from them if there were issues with my email
> setup.

good idea

------
mc3
First time i've seen a [https://txti.es](https://txti.es) posted on here.
nice.

------
pvtmert
i am using api to download/backup zone every week (by cron) to gdrive (fuse
drive / cheap solution)

i do this for all the domains i use/manage

this post has been a good reminder to check them :)

imho about audit log: since they "delete" everything, nothing is left in the
zone/domain.

thus, initial log (127.0.0.1/creation) comes up. kind of feature of the
bug/logic error.

------
imduffy15
I hate this paid support model. I don’t want to have to pay to tell a company
I think they screwed up.

------
homero
Suspending can be a mistake, that's fine. Deleting DNS records and no
notification is absurd.

------
cm2187
I wonder how many people backup their DNS settings so they can recreate them
quickly...

------
1337n008
after they began to turn on their own customers i moved all my domains and
closed my account. looks like i have not missed out much.

imagine if one day your bank decided to close your entire bank account without
telling you...lol.

------
parliament32
Cloudflare is pretty trash regardless, but putting all your eggs in one basket
(no matter which provider) is just a terrible idea.

------
frf37
so what was the issue?

------
potency
Cloudflare lost my support when they started de-platforming people for holding
opinions they didn't agree with. Censorship outside of strictly legal bounds
should not be tolerated from a company as powerful as Cloudflare.

~~~
mavhc
Is it censorship if they refuse their money for a service? Pretty sure that's
just business. Are they stopping you having a website?

~~~
rabite
Yes, it is censorship. The entire history of First Amendment jurisprudence was
set around the idea that powerful people were not allowed to stop political
and religious speech. Marsh v. Alabama is a great example: a company town
owned sidewalks that they didn't want religious prosyletizers on. The courts
ruled that the fact that they owned the sidewalks and roads is irrelevant. For
the entire history of my country powerful people were not allowed to buy up
the public square and prevent the little guy from speaking. Everyone had a
right to enumerate their grievances in a free and open marketplace of ideas.
This has of course changed in the age of the Internet, where a bunch of
scheming Stanford grads have bought up the courts, wrested control of the key
Internet infrastructure away from the public who funded its creation, and sit
there and grin as they take the role of arbiter over all speech on the
Internet. The wealth and power disparity between the rich and poor is at its
height, and it is clear that there will be no legal or democratic solution to
the concentration of power in the hands of a handful of Silicon valley
billionaires.

~~~
mavhc
How is it censorship?, they're not stopping you publishing anything, they're
just not helping you do it.

