A comprehensive guide for operators to investigate and report malicious domains behind Cloudflare, including DNS tools, HTTP headers, record types, and best practices.
Reporting malicious domains to Cloudflare is critical for addressing policy violations or harmful content, such as phishing, malware, or illegal material. This guide covers domain investigation using dig, whois, nslookup, curl, host, and netcat, explains HTTP headers, DNS record types, SSL certificate analysis, and provides actionable steps for accurate reporting.
Cloudflare is a security and CDN service protecting websites. Some domains behind Cloudflare may host malicious content. Accurate reporting helps block problematic pages or subdirectories, not entire domains.
http/https) and www status.Operators should use DNS, domain lookup, and network tools to gather evidence before reporting. Below are key tools, their switches, and example outputs.
digdig queries DNS records to identify Cloudflare usage, IP addresses, and name servers.
Note: Commands and outputs are displayed left-to-right.
+short: Minimal output (e.g., IP addresses).A: Queries A records (IPv4 addresses).NS: Queries name servers.CNAME: Queries canonical names.MX: Queries mail servers.TXT: Queries text records (e.g., SPF, DMARC).AAAA: Queries IPv6 addresses.SOA: Queries Start of Authority records.PTR: Queries reverse DNS (for IP-to-domain lookup).+trace: Traces DNS resolution path.+all: Detailed output with all sections.+dnssec: Queries DNSSEC records.
dig example.com +short
104.18.43.123
104.18.42.123
dig example.com A
;; ANSWER SECTION:
example.com. 300 IN A 104.18.43.123
example.com. 300 IN A 104.18.42.123
dig example.com NS
;; ANSWER SECTION:
example.com. 86400 IN NS ns1.cloudflare.com.
example.com. 86400 IN NS ns2.cloudflare.com.
dig example.com TXT
;; ANSWER SECTION:
example.com. 300 IN TXT "v=spf1 include:_spf.google.com ~all"
dig example.com AAAA
;; ANSWER SECTION:
example.com. 300 IN AAAA 2606:2800:220:1:248:1893:25c8:1946
dig example.com CNAME
;; ANSWER SECTION:
www.example.com. 300 IN CNAME example.com.
dig example.com MX
;; ANSWER SECTION:
example.com. 300 IN MX 10 mail.google.com.
dig example.com SOA
;; ANSWER SECTION:
example.com. 3600 IN SOA ns1.cloudflare.com. dns.cloudflare.com. 2031234567 10000 2400 604800 3600
dig -x 104.18.43.123 PTR
;; ANSWER SECTION:
123.43.18.104.in-addr.arpa. 300 IN PTR example.com.
dig example.com +dnssec
;; ANSWER SECTION:
example.com. 300 IN A 104.18.43.123
example.com. 300 IN RRSIG A 13 2 300 20251018062200 20251016042200 12345 example.com. ...
ns1.cloudflare.com) confirm Cloudflare usage. Use PTR for reverse DNS lookups.whoiswhois retrieves domain registration details, including registrar, owner, and abuse contacts.
Note: Output is displayed left-to-right.
-h whois.example.com: Queries a specific whois server.-r: Requests registrar-only data (if supported).-a: Requests abuse contact information (if supported).
whois example.com
Domain Name: EXAMPLE.COM
Registrar: Cloudflare, Inc.
Creation Date: 1995-08-14T04:00:00Z
Expiration Date: 2026-08-13T04:00:00Z
Registrant Name: DATA REDACTED
Registrant Email: DATA REDACTED
Name Server: NS1.CLOUDFLARE.COM
Name Server: NS2.CLOUDFLARE.COM
Registrar Abuse Contact Email: abuse@cloudflare.com
whois -h whois.cloudflare.com example.com
Domain Name: EXAMPLE.COM
Registrar: Cloudflare, Inc.
Registrar Abuse Contact Email: abuse@cloudflare.com
-a or check for abuse contact email in whois output for reporting.nslookupnslookup queries DNS records to verify resolution and name servers.
Note: Commands and outputs are displayed left-to-right.
-type=A: Queries A records.-type=NS: Queries name servers.-type=CNAME: Queries canonical names.-type=MX: Queries mail servers.-type=TXT: Queries text records.-type=AAAA: Queries IPv6 addresses.-type=SOA: Queries Start of Authority records.-type=PTR: Queries reverse DNS records.-debug: Shows detailed query information.
nslookup example.com
Name: example.com
Address: 104.18.43.123
Address: 104.18.42.123
nslookup -type=NS example.com
example.com nameserver = ns1.cloudflare.com.
example.com nameserver = ns2.cloudflare.com.
nslookup -type=TXT example.com
example.com text = "v=spf1 include:_spf.google.com ~all"
nslookup -type=AAAA example.com
Name: example.com
Address: 2606:2800:220:1:248:1893:25c8:1946
nslookup -type=CNAME www.example.com
www.example.com canonical name = example.com.
nslookup -type=MX example.com
example.com mail exchanger = 10 mail.google.com.
nslookup -type=SOA example.com
example.com
primary name server = ns1.cloudflare.com.
responsible mail addr = dns.cloudflare.com.
serial = 2031234567
nslookup -type=PTR 104.18.43.123
123.43.18.104.in-addr.arpa name = example.com.
nslookup results with dig for accuracy. Use -debug for detailed troubleshooting.curl for HTTP Headerscurl retrieves HTTP headers to identify Cloudflare usage, redirects, and server details.
Note: Commands and outputs are displayed left-to-right.
-I: Fetches headers only.-L: Follows redirects.-s: Silent mode (no progress bar).-A: Sets user agent (e.g., -A "Mozilla/5.0").-v: Verbose output, including request/response details.--connect-timeout: Sets connection timeout (e.g., --connect-timeout 5).--ssl: Forces SSL/TLS connection.
curl -I -L https://example.com
HTTP/1.1 301 Moved Permanently
Date: Fri, 17 Oct 2025 06:22:00 GMT
Location: https://www.example.com
Server: cloudflare
CF-RAY: 1234567890abcdef-IAD
HTTP/1.1 200 OK
Date: Fri, 17 Oct 2025 06:22:01 GMT
Content-Type: text/html
Server: cloudflare
CF-Cache-Status: DYNAMIC
CF-RAY: 1234567890abcdef-IAD
curl -s -I -A "Mozilla/5.0" --connect-timeout 5 https://example.com
HTTP/1.1 200 OK
Date: Fri, 17 Oct 2025 06:22:00 GMT
Server: cloudflare
CF-RAY: 1234567890abcdef-IAD
CF-Cache-Status: DYNAMIC
Content-Type: text/html; charset=UTF-8
Server: cloudflare and CF-RAY to confirm Cloudflare usage.hosthost is a lightweight tool for DNS lookups, useful for quick checks.
Note: Commands and outputs are displayed left-to-right.
-t A: Queries A records.-t NS: Queries name servers.-t MX: Queries mail servers.-t TXT: Queries text records.-t AAAA: Queries IPv6 addresses.-a: Queries all record types.
host example.com
example.com has address 104.18.43.123
example.com has address 104.18.42.123
host -t NS example.com
example.com name server ns1.cloudflare.com.
example.com name server ns2.cloudflare.com.
host -t TXT example.com
example.com descriptive text "v=spf1 include:_spf.google.com ~all"
host for quick DNS checks when dig is unavailable.netcat for Basic Connectivitynetcat (or nc) tests connectivity to verify if a domain’s port is open (e.g., HTTP/HTTPS).
Note: Commands and outputs are displayed left-to-right.
-v: Verbose output.-z: Scans without sending data (port check).-w: Sets timeout (e.g., -w 5 for 5 seconds).
nc -v -z -w 5 example.com 443
Connection to example.com 443 port [tcp/https] succeeded!
netcat to confirm if HTTPS (port 443) is open before reporting.Use openssl to inspect SSL certificates for issuer, validity, and domain details.
Note: Commands and outputs are displayed left-to-right.
openssl s_client -connect example.com:443 -servername example.com < /dev/null
Certificate chain
0 s:/CN=example.com
i:/C=US/O=Cloudflare, Inc./CN=Cloudflare Inc ECC CA-3
Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3
Not Before: Oct 17 00:00:00 2025 GMT
Not After: Oct 16 23:59:59 2026 GMT
HTTP headers provide critical information for abuse reports. Use browser DevTools or curl to capture them.
Server: Identifies Cloudflare (e.g., cloudflare).CF-RAY: Unique Cloudflare request ID.CF-Cache-Status: Cache status (e.g., DYNAMIC, HIT).Location: Redirect destination (e.g., https://www.example.com).Content-Type: Content type (e.g., text/html).X-Powered-By: Backend technology (e.g., PHP/7.4.33).X-Frame-Options: Frame embedding settings (e.g., DENY).Content-Security-Policy: Security policies (if present).Strict-Transport-Security: Enforces HTTPS (e.g., max-age=31536000).
HTTP/1.1 200 OK
Date: Fri, 17 Oct 2025 06:22:00 GMT
Server: cloudflare
CF-RAY: 1234567890abcdef-IAD
CF-Cache-Status: DYNAMIC
Content-Type: text/html; charset=UTF-8
X-Powered-By: PHP/7.4.33
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'
Strict-Transport-Security: max-age=31536000; includeSubDomains
CF-RAY, Location, and Content-Type in reports to pinpoint malicious content.DNS records help verify domain configurations. Common types include:
dig example.com A
;; ANSWER SECTION:
example.com. 300 IN A 104.18.43.123
example.com. 300 IN A 104.18.42.123
dig example.com AAAA
;; ANSWER SECTION:
example.com. 300 IN AAAA 2606:2800:220:1:248:1893:25c8:1946
dig example.com CNAME
;; ANSWER SECTION:
www.example.com. 300 IN CNAME example.com.
dig example.com MX
;; ANSWER SECTION:
example.com. 300 IN MX 10 mail.google.com.
dig example.com TXT
;; ANSWER SECTION:
example.com. 300 IN TXT "v=spf1 include:_spf.google.com ~all"
dig example.com SOA
;; ANSWER SECTION:
example.com. 3600 IN SOA ns1.cloudflare.com. dns.cloudflare.com. 2031234567 10000 2400 604800 3600
dig example.com RRSIG
;; ANSWER SECTION:
example.com. 300 IN RRSIG A 13 2 300 20251018062200 20251016042200 12345 example.com. ...
TXT records for email spoofing and RRSIG for DNSSEC in phishing reports.Domains may use https, http, or both. Verify accessibility:
https://example.com first, then http://example.com.www.curl -L.openssl to verify SSL certificate details.dig, whois, nslookup, curl, host, and openssl to confirm Cloudflare usage and gather details.www/non-www and http/https.whois -a to find registrar abuse contact if needed.curl -L to confirm redirects.openssl to verify SSL certificate validity for phishing sites.PTR) to confirm hosting details.ping example.com.traceroute example.com.Note: Templates are displayed left-to-right.
URL: https://www.example.com/path/to/abuse
Date discovered (UTC): 2025-10-17 06:22:00 UTC
Type of abuse: Phishing (credential harvesting)
Details: Imitates bank.example login page, collects credentials.
Evidence: Attached screenshot, DevTools headers, DNS records, SSL certificate.
Full URL: https://www.example.com/path/to/abuse
Open form: www only, https
Observed behavior: Collects credentials, posts to /submit.php
Request headers: Host: www.example.com
Response headers: Server: cloudflare, CF-RAY: 1234567890abcdef-IAD, CF-Cache-Status: DYNAMIC
DNS records: A: 104.18.43.123, NS: ns1.cloudflare.com
SSL Certificate: Issuer: Cloudflare Inc ECC CA-3, Valid until: 2026-10-16
Screenshots: Attached
Why it violates: Impersonation/phishing of bank.example
Note: Code is displayed left-to-right.
import requests
import ssl
import socket
def check_domain(url):
try:
response = requests.get(url, timeout=5, allow_redirects=True)
if response.status_code == 200:
print(f"Domain {url} is accessible.")
print(f"Headers: {response.headers}")
else:
print(f"Domain {url} responded with status code {response.status_code}.")
except requests.exceptions.RequestException as e:
print(f"Error accessing {url}: {e}")
def get_ssl_info(domain):
context = ssl.create_default_context()
with socket.create_connection((domain, 443)) as sock:
with context.wrap_socket(sock, server_hostname=domain) as ssock:
cert = ssock.getpeercert()
print(f"SSL Issuer: {cert['issuer']}")
print(f"Valid until: {cert['notAfter']}")
# Test domain with protocols and variants
domain = "example.com"
check_domain(f"https://www.{domain}")
check_domain(f"https://{domain}")
check_domain(f"http://www.{domain}")
check_domain(f"http://{domain}")
get_ssl_info(domain)