On Thu, Mar 2, 2017 at 5:15 PM, Matt Palmer <mpalmer@hezmatt.org> wrote:
On Sat, Feb 25, 2017 at 07:21:48AM +0000, Mike Goodwin wrote:
Useful information on potentially compromised sites due to this: https://github.com/pirate/sites-using-cloudflare "This list contains all domains that use Cloudflare DNS"
That's only marginally more useful than saying "any domain matching /^.*$/";
Iirc; It's quite easy to use the Proxy service without the DNS service, as long as you are using a Paid CF account for the domain and not a free account. Also; Querying after the fact is not very scientific, Because there may be domains that _Were_ using CF proxy service During the incident which no longer use CF DNS or Proxy servers, for whatever reason. If you're going to scrape DNS records to decide, should probably be scraping A records for www, and then checking Reverse DNS or matching against possible CF IP addresses, not NS records.
- Matt -- -JH