Well, hello there.

I find it interesting that within a couple of days of my registering this domain name (nicos.tips) and changing the DNS records over to Cloudflare, Cloudflare was recording quite a bit of unexpected traffic.

The only entities that should know the name at this point were myself, the domain registrar I used (Omnis), and Cloudflare. Anything else would be from observed network traffic (DNS requests) or something else.

What is going on here?

In my experience, it’s quite normal to see external hosts attempting to connect, port scan, or even brute force URL’s based on a server responding to network traffic after scanning through entire classes of IP address. The interesting part about this particular scenario is that by Cloudflare reporting this, it means that these connections were originating from someone looking up the domain name. Why would anyone be doing a DNS lookup on nicos.tips at this point? Where would anyone have gotten the name from? I highly doubt anyone is brute forcing DNS lookups, but who knows these days.

I will note that a brand new domain name is ripe for being attacked. Especially as people and businesses are just getting started setting up newly installed software to get started on a new website for their brand new domain name, they are a vulnerable point. A brand new deployment may not be locked down from a security perspective and credentials could have been temporarily set with very weak passwords (or a complete lack thereof).

My first guess was that this was Cloudflare’s own internal services doing some kind of scanning/probing or something along those lines. However, it’s worth noting that Cloudflare themselves described some of the activity as a “prevented attack”.

I’m not aware of any facility that openly advertises new domain registrations. Interesting tidbit: the owner of the .tips TLD is Identity Digital (previously known as Donuts Inc.) and they have a huge concentration of the top-level domain (TLDs).

Have any thoughts? Let me know in the comments.