Assume that we have two websites with two different owners. Both of them set their domain name server to john.ns.cloudflare.com and joly.ns.cloudflare.com. The first owner set both domains in his account in CloudFlare and set server IP to his server IP, How can CloudFlare determine that this person is not the owner of the second domain?
Isn't this kind of a threat of our domain being hijacked by someone else?
I asked this question from cloudflare help center and I got this answer
When a user is signing up to Cloudflare they are provided with 2 of our DNS servers to switch their nameservers to from whatever their current value is. We have more nameservers than john and joly. The act of changing the nameservers to those specified for the user account signing up a domain to the values during the setup process demonstrates control of the domain.
Nope.
The name servers you're given are responsible for translating your the host name into an IP address, but clients won't know to query CloudFlare for the IP address. When making a DNS request, your domain name provider will tell you who's authoritative of the domain, meaning that which servers to query. Without setting CloudFlares servers in your domain name provider, they'll continue to point to whoever is authoritative, usually themselves if you're putting in records through their site. Once you add those name servers however, your domain name provider will start replying to queries saying they should see with CloudFlare to find the correct address.
When signing up for CloudFlare, you need to give them your domain before you set it up. At that point CloudFlare will check to see if someone else already added it to their system. If they did, CloudFlare won't give you a nameserver to set, and instead tell you that it's already in use. At that point you can contact support and work with them to sort it out.
