-2

While doing penetration testing for a client I stumbled upon a security incident. CloudFlare promises to hide the origin IP address when using its DNS.

I went to dnsdumpster.com, inputted my client's domain and there I found my client's ORIGIN IP ADDRESS, which should've been hidden. In CloudFlare DNS the corresponding records are all proxied.

How is this a thing?

Isn't that exactly what CloudFlare should be protecting against?

Anyone can lookup this IP and DDoS it directly while ignoring the CloudFlare network.

P.S MX, SPF, A records on a subdomain pointing to another IP for a mail server is setup and that IP is visible (as it should be).

tungsten
  • 432
  • 1
  • 5
  • 19
Sir Muffington
  • 1,447
  • 2
  • 9
  • 22
  • Does that tool show historical/previous IP addresses? If so you'd need to register a brand new DNS domain name to prevent that. – user Oct 02 '19 at 18:31
  • Check the dns records to see if the domain retains any current mapping to that IP. Perhaps for a subdomain. This is most likely not a cloudflare issue, but some residue from old dns records. It will be considered a cloudflare bug if you can obtain the ip from cloudflare endpoints or dns records. – hax Oct 02 '19 at 18:33
  • @user this tool in particular does not have this function AFAIK. – Sir Muffington Oct 02 '19 at 18:41
  • @hax the DNS records are set correctly and the relevant records are proxied to hide the origin IP. – Sir Muffington Oct 02 '19 at 18:51

2 Answers2

2

Isn't that exactly what CloudFlare be protecting against?

Nope. CloudFlare be promising that anyone accessing your site through CloudFlare will not find out your backend IP address in the process. E.g., there's no X-Origin-IP header or the like leaking your IP out.

CloudFlare be not responsible for whatever other methods people might have. If you put it in DNS in an obvious way, or take out a page in the Times to advertise the IP, then it's findable.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • "CloudFlare be promising that anyone accessing your site through CloudFlare will not find out your backend IP address in the process." But that's exactly what is getting leaked, try it out for yourself. No DNS records are set that are not going thru the CloudFlare CDN. – Sir Muffington Oct 02 '19 at 18:39
  • Except one e-mail server, but it points towards another IP address than the main web server. – Sir Muffington Oct 02 '19 at 18:44
  • @SirMuffington Again, that's a separate channel. If you choose to put your origin servers in DNS, then they're published. CloudFlare isn't responsible for your choice in populating DNS. Browsers of your site _still_ won't get that IP through the browsing process, which is what is promised. – gowenfawr Oct 02 '19 at 18:46
  • Please refer to the updated question. I've proxied those records. – Sir Muffington Oct 02 '19 at 18:49
  • 2
    @SirMuffington: Unfortunately you don't provide enough information to reproduce the issue. But as gowenfar correctly said Cloudflare does not promise to hide your IP completely, it makes only sure that direct DNS lookup will return the IP of Cloudflare instead. It will for example not be able to unpublish information which were available in the past, i.e. historic DNS entries. But as the FAQ for dnsdumster make clear it collects information from various sources (and likely also historic records). – Steffen Ullrich Oct 02 '19 at 19:44
  • @SteffenUllrich here is my DNS records table: https://imgur.com/a/ohhk7KO yes, in the past the records were pointing to that IP and if that information was logged and kept in the scanner I'm guessing your comment is the correct answer. – Sir Muffington Oct 02 '19 at 20:25
1

This is called a "CloudFlare resolver", no It's basically just a scanner/discovery tool that searches for subdomains linked to the main domain that are not protected by Cloudflare and therefore not listed, this way it is possible to hurt the real IP address by disclosing the real IP address by finding a vulnerable subdomain.

https://www.hackingtutorials.org/wp-content/uploads/2015/06/Websploit-Cloudflare-Resolver-Module-Tutorial-3.jpg

tungsten
  • 432
  • 1
  • 5
  • 19