Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: Archive.is inaccessible via Cloudflare DNS (1.1.1.1)
320 points by ikeboy on May 4, 2019 | hide | past | web | favorite | 197 comments
I noticed I couldn't connect to archive.is, eventually I figured out it was an issue with cloudflare DNS, 1.1.1.1. Checking nslookup confirms this:

nslookup archive.is 1.1.1.1 Server: 1.1.1.1 Address: 1.1.1.1#53

Non-authoritative answer: Name: archive.is Address: 127.0.0.4

nslookup archive.is 8.8.8.8 Server: 8.8.8.8 Address: 8.8.8.8#53

Non-authoritative answer: Name: archive.is Address: 94.16.117.236

Cloudflare is returning a localhost address which prevents you from accessing the website.




We don’t block archive.is or any other domain via 1.1.1.1. Doing so, we believe, would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service.

Archive.is’s authoritative DNS servers return bad results to 1.1.1.1 when we query them. I’ve proposed we just fix it on our end but our team, quite rightly, said that too would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service.

The archive.is owner has explained that he returns bad results to us because we don’t pass along the EDNS subnet information. This information leaks information about a requester’s IP and, in turn, sacrifices the privacy of users. This is especially problematic as we work to encrypt more DNS traffic since the request from Resolver to Authoritative DNS is typically unencrypted. We’re aware of real world examples where nationstate actors have monitored EDNS subnet information to track individuals, which was part of the motivation for the privacy and security policies of 1.1.1.1.

EDNS IP subsets can be used to better geolocate responses for services that use DNS-based load balancing. However, 1.1.1.1 is delivered across Cloudflare’s entire network that today spans 180 cities. We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results. For a relatively small operator like archive.is, there would be no loss in geo load balancing fidelity relying on the location of the Cloudflare PoP in lieu of EDNS IP subnets.

We are working with the small number of networks with a higher network/ISP density than Cloudflare (e.g., Netflix, Facebook, Google/YouTube) to come up with an EDNS IP Subnet alternative that gets them the information they need for geolocation targeting without risking user privacy and security. Those conversations have been productive and are ongoing. If archive.is has suggestions along these lines, we’d be happy to consider them.


Honestly, Cloudflare choosing not to hastily slap a band-aid on a problem like this just makes me feel more compelled to continue using 1.1.1.1.

I hesitate to compare this to Apple calling themselves “courageous” when removing the headphone jack, but in this case, I think the word is appropriate. I’ll happily stand behind you guys if you take some PR hits while forcing the rest of the industry to make DNS safer – since it is understandable, admittedly, for users to conclude that “Cloudflare is blocking websites, sound the alarms!” at first glance.


For the moment, I also do trust CloudFlare's intentions, but it's wrong to classify this as some kind of stoic resolve in not "slapping a band-aid on a problem" since that's exactly what they did after their business decision about not responding to "any" queries.


What do you mean with this? Refuse ANY is now a proposed RFC https://datatracker.ietf.org/doc/rfc8482/ How is that a band aid?


Just for another voice in this sub-discussion: I'm an authdns software implementer ( https://github.com/gdnsd/gdnsd ) with no connection to Cloudflare, and I like Refuse ANY. It's maybe hard to see all the issues with traditional ANY clearly unless you're implementing this stuff, but IMHO RFC 8482 is a really good path forward that I'm supportive of and have also implemented.


Well, I can't say I didn't anticipate it happening exactly like this, with someone from Cloudflare trying to retcon "the ANY query episode" by linking to the proposal drafted after the fact. As though a formal "here is our proposed change" document somehow magically excuses the fact that Cloudflare did "violate the integrity of DNS" in its unilateral decision to abandon parts of the DNS specification in favor of its own modifications in order to cut operating costs by reducing the workload on its servers. [0]

Your boss is talking about not "violating the integrity of DNS" and presents this case where upstream archive.is name servers return unexpected data. He proposes that CloudFlare cannot "just fix it" because doing so "would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service". However, Cloudflare chose to "just fix it" back then by "slapping a bandaid" on something your team saw as a problem instead of abiding by the proper change process. And Cloudflare did so not because of some critical security flaw, but as a cost-cutting measure.

Even if we limit what it means to "violate the integrity of DNS" to the first definition mentioned above (and completely ignore this second definition), Cloudflare "slapped a bandaid" on a PR problem it had a couple of years ago and decided to "just fix it" and "block a domain" by removing the domain and its assets from Cloudflare's infrastructure. [1]

Cloudflare has "violated the integrity of DNS" on more than one occasion using more than one of its own definitions.

Cloudflare "MUST" either adhere to the specification and its change process, or not adhere to the specification and its change process. Cloudflare "CANNOT" choose for both of these statements to be true, and one of them constitutes "violating the integrity of DNS".

[0] https://blog.cloudflare.com/deprecating-dns-any-meta-query-t...

[1] https://blog.cloudflare.com/why-we-terminated-daily-stormer/


Please note that incentive to "hastily slap a band-aid" did appear, but was overcome by the team. At least, they deserve praise for honesty.


Say you remove/don't proxy the ECS information, and I get some generic, non-geo-location aware response back. In the majority of cases, wouldn't my next step be to open a TCP connection to the IP in the response, and immediately leak my full IP address to the other end? While I get (and appreciate!) the concern for the user's privacy, I'm having a hard time seeing what practical effect not proxying the subnet the user is on has?

(This is not meant to suggest that archive.is's DNS response is appropriate, or that CF's setup is inappropriate.)

(Just to check my understanding of ECS: it's an extension to DNS that sends the user's subnet in the request, and gets relayed with the request, s.t. an authoritative server can respond with a geo-location appropriate response/IP.)


> Say you remove/don't proxy the ECS information, and I get some generic, non-geo-location aware response back. In the majority of cases, wouldn't my next step be to open a TCP connection to the IP in the response, and immediately leak my full IP address to the other end?

That assumes that the nameserver and the actual server are run by the same party which quite often is not the case.


> That assumes that the nameserver and the actual server are run by the same party which quite often is not the case.

Cloudflare can check if nameserver and the actual server are run by different parties, and if so omit subnet information from EDNS response. It is not hard to implement — Google and OpenDNS used to require manual whitelisting to receive EDNS subnet responses (not sure if they still do).

Cloudflare's CDN leaks user's full online identity to Google via reCaptcha, especially when you use Tor. Maybe they should ask Google to be satisfied with client's subnet too?


> Cloudflare's CDN leaks user's full online identity to Google via reCaptcha, especially when you use Tor.

How?


When cloud flare detects suspicious traffic from an ip, it will get served with a reCaptcha every time. Tor exit nodes always get captchas, not sure how much data that would leak though


Thank you for your comment.

Since HTTPS traffic already reveals communicating IPs to nation-state actors, could you clarify what attack vector removing user IP info from authoritative DNS queries protects against?

In what way does Cloudflare publish its PoP geolocation? Is it a Cloudflare-specific API? Why not fake EDNS subnet info by providing the PoP’s?

I notice of course that Google, Facebook, and Netflix still work on 1.1.1.1. Does this mean they’re currently using Cloudflare PoP geolocation in lieu of EDNS subnet information?


Its preventing the DNS authority to know the IP of who is making the request.

CloudFlare decided its DNS should be the authority to the end user and Archive.is's DNS should be the authority only to CloudFlare. CloudFlare is breaking the bond between the end user and the Service provider.

What CloudFlare is doing is centralizing authority to itself rather allowing authority to be distributed to all owners of the domains as intended. An argument can be made that by using 1.1.1.1 you are granting CF permission to act in this role - some users may even prefer it.


This is no different than any 3rd party DNS service. If the resolving DNS server you hit doesn't have a cached response, it reaches out to the upstream resolver. It doesn't pass your IP along to the upstream resolver


Did I say something that was untruthful?


Perhaps not untruthful, but bending words to make it look malicious when it wasn’t? In general, your statement was just malicious to the point of “untrustworthy”.


Alternatively:

Cloudflare simply is making a subversive play against their competitor CDNs. Client subnet of a DNS request is used for initial rough mapping by Cloudflare competitors such as Akamai (definitely) and I believe Fastly ( and probably others) . Stripping it easily adds at least a few milliseconds to the time to first byte and most likely results a request re-routing on the second or third request.

After all, no other CDN is operating a well used public resolver.


As this is related to CDN, I am gonna leave it here.

The irony is one.one.one.one is marketed as getaway to faster internet, while making CDNs that use GeoDNS slower.

All it takes is a bad route to a far away cloudflare POP to make your internet really slower. Case in point. [1]

I really don't find why no EDNS is considered private, as it only sends the IP subnet.[2] And on IPv6 the IP is far more protected.

If you care that much about privacy, you should be using a VPN.

[1] https://pastebin.com/raw/QnbWXU1a

[2] https://tools.ietf.org/html/rfc7871#section-11.1


> If you care that much about privacy, you should be using a VPN.

Another point; if you care about privacy, why use a 3rd party resolver that you have to "trust"?

Use the ISP resolver; they can see all your traffic anyway if they want to.

Alternatively, cut out all the middle men and run your own recursive resolver. It's not complicated to do so, there's other software than Bind for doing so.


Google has its own public DNS and CDN, I'm pretty sure that counts.


Isn't Google CDN a public beta or did it just exit a public beta into a GA? If so, it is a non-entity for at least a year long contracts that the other CDNs have with its customers. Probably a non-entity for years to come.


Google Cloud CDN has been GA since 3 years ago:

https://cloud.google.com/cdn/docs/release-notes#june_27_2016


An example of something that Cloudflare's approach provides some protection from: http://dnscookie.com/


> We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results.

The operator of archive.is claims that they suffer from a "massive mismatch" between those query IPs and actual traffic. Any idea why? [Is that claim wrong? Is archive.is to blame? Is cloudflare to blame? Are ISPs badly routing the DNS queries?]

Do you have stats on how well the geolocation works in practice?


Well no, CloudFlare doesn't get to talk about not "violating the integrity of DNS" after you stopped responding to "any" queries in violation of the standard. You started by doing your own thing and then proposed a change to the standard to fit your business decision. [0]

[0] https://www.rfc-editor.org/info/rfc8482


There's a difference between changing results (or adding) and not supporting a feature that is dangerous and rarely used. Kind-of like banning handguns vs. providing unknownly modified guns.


They could have allowed "any" only via TCP. Instead Cloudflare told everyone "our software can't handle any, so yours shouldn't either".


Wait, but both of these are horrible ideas. Horrible analogy; theres no need to bring politics into this.


It's a fine analogy: the former is something some people think is a good idea, and others think isn't, whereas about the latter most people agree it should not be done. Which is what OP wanted to express.


They also stopped responding to all DNS queries for some neonazi asshats because of public pressure and politics. They're definitely jerks but they still should be treated like any other customer unless they're actively breaking the law.


Thanks for the detailed response! I think your team is handling this the right way.


@eastdakota what about just failing without response on archive.is calls so the second resolver address configured in the client will be used? I understand this is also a DNS integrity violation, however the result for the end user would be either the same if they don’t have a second resolver configured or enhanced if they do.

The current effect is I stop using 1.1.1.1 when I need archive.is (often) and set it back the next time I’m messing with my network settings.


DNS either has integrity or it doesn’t. We get a response from an Authoritative server and, as a Resolver, we believe our responsibility is to return it. If we start making exceptions because of bad PR, how can you trust us to do the right thing when the stakes are even higher (e.g., nationstate pressure)?

As an aside, I used to think that when Emerson said that “a foolish consistency is the hobgoblin of little minds” he meant that we were foolish to try and be consistent. Increasingly I wonder if instead he meant that when you’re trying to reason with people who may not have the same detailed knowledge of a problem as you, there’s an enhanced importance to being consistent. Unfortunately, most policy makers globally don’t have a detailed understanding of how technical systems like DNS work, so we think it’s especially important we be consistent.


My take on the Emerson quote you mention is to be mindful instead of mindless when it comes to consistency. I respect the commitment to consistency you convey (and I do think it is mindful).


I would recommend you leave exegesis of Emerson to the experts. What he meant is much closer to "pave the cowpaths" than "break things that currently work by enforcing arbitrary standards".


If you're going to that much trouble I suggest you just hardcode an IP address for archive.is into /etc/hosts. I've only had to change it once in the whole time I've used Cloudflare DNS (i.e. since the first day it was public).


If you use dnsmasq, you can special case archive.is to not be resolved via 1.1.1.1.


Also: it'd be nice if CloudFlare made a secondary DNS resolver (1.1.2.2?) that didn't pass along EDNS information, as a backup for websites like archive.is (and for anyone who cares about privacy).


I think you may have typo’d, but just in case:

1.1.1.1 does not send EDNS ECS data, specifically because of the privacy concern. So the hypothetical secondary resolver would need to send that data, for people who aren’t concerned about the privacy implications / want to get to archive.is.

Given CloudFlare’s stated message of prioritizing privacy, it seems unlikely they’d stand up infrastructure that behaved like 1.1.1.1 except that it leaked more private information.


My apologies! I misread the OP and thought that CloudFlare was being accused of violating privacy. Instead, it seems that CloudFlare is definitely making the right choice, and I can't see why archive.is has any objection.


(Also: I only just learned that archive.is != archive.org.)


I just added an entry for archive.is in my etc/hosts.


How do I do that on my iPhone?


It's possible using DNSCloak, under Advanced Options > Enable Cloaking.

You'll need to add a hosts file to your iCloud Drive.


Without jailbreaking, I don't think you do. You can do it at the router level with dnsmasq, but then you'd always have to be VPN-ed into that network when you are out and about.

Although, I believe Cloudflare DNS app on iphone uses a VPN iOS API to do it's thing, so it should be possible to put dnsmasq-like functionality into an iOS app. I don't know if this exists already.


You can’t. Not without jailbreaking, at least.


Why not just send the subnet of the machine at cloudflare doing the querying?


The full IP of the Cloudflare resolver doing the recursive resolution is already provided to the authoritative server, as the source IP for the DNS query traffic.


I think the parent is saying, why not spoof the EDNS client subnet information?


True. Copying the information would be possible, but given they’re working on other efforts to replace the functionality of EDNS ECS in a standard way, it seems like a hacky bandaid.


EDNS is a working system today, doesn't seem that hacky to use it until a new system is actually ready (which doesn't seem to be anytime soon anyway).


It works if you don't care about privacy


The suggestion was to use the EDNS of the datacenter server, how does that ruin privacy?


Is there anywhere I can learn about these ongoing efforts to replace EDNS?


Could you use your own subnet in the EDNS that matches client's country or could you let user configure what data would be shared?


If you're for integrity of DNS, why did you suspend the free speech of the admittedly bigoted, hateful neonazis on dailystormer?

https://blog.cloudflare.com/why-we-terminated-daily-stormer/

"Earlier today, Cloudflare terminated the account of the Daily Stormer. We've stopped proxying their traffic and stopped answering DNS requests for their sites. We've taken measures to ensure that they cannot sign up for Cloudflare's services ever again."

I'll keep using non-logging, encrypted OpenNIC servers, since you seem to selectively censor instead of only blocking terrorists and cp.


How does doing this censor them?

The Daily Stormer is free to get their business elsewhere and it's still up on the internet. Cloudflare didn't want to be associated to this kind of content, and thus terminated their business relation.

We don't NEED Cloudflare to keep the internet integrity (if we did, it will go pretty badly...) but we do need DNS to keep the internet integrity.

> I'll keep using non-logging, encrypted OpenNIC servers, since you seem to selectively censor instead of only blocking terrorists and cp.

Why are you censoring Cloudflare? /s


I don't think this argument is well stated, so I'll give it a shot.

CloudFlare is very basic infrastructure and there are a handful of companies providing such infrastructure, thus a group can be effectively deleted from the Internet if these companies decide or are pressured to do so. (Example of pressuring: Patreon dropped some accounts at the behest of Mastercard.)

So maybe the real question is, "does this notion of the integrity of DNS extend to other basic infrastructure services?"


Ongoing work with big companies to replace existing technologies don't convince me. Though, neither does whining when the authoritative nameserver itself is returning bogus responses.


The experience for the user is that the page just keeps loading indefinitely, while showing a blank page. Is there nothing Cloudflare could do to inform the browser about the situation, so that the browser can show some kind of a message to the user? As it stands, to the user it just looks like their connection died.


I don't see what they can do, short of sending fake DNS replies with their own webserver IPs, which is worse for the integrity of DNS.


Shouldn’t there be some kind of standard DNS response for this? There are dozens of different HTTP status codes for all kinds of scenarios. Doesn’t DNS have something like that? I know almost nothing about DNS, I’m just curious.


The thing is, the server sends a real response, it's just not the same response as it sends to other recursive resolvers.

Imagine it's HTTP, and the site sent a 404 to your proxy, but you knew it generally sent a 200 to other proxies, what should you do? Send the 404, or override it with your own status code? Cloudflare is saying they are not OK with overriding codes.


Awesome response! Is there already a blog post on this?

Such a post might A) get better SEO than an HN thread for 'cannot access archive.is [or ...]' and B) help change its behaviour.


If the govt of your jurisdiction (American I assume?) commanded you to censor a certain domain or block of IPs with a court order, what exactly happens? I'm not sure if this has been done on the DNS level before but do you guys have a plan in case it ever does happen?


Jurisdiction would include every place where they have a business presence. Their page https://www.cloudflare.com/en-au/about-overview/ lists quite a few international phone numbers, which may or may not correspond with offices and subsidiary companies in those locations.

I assume they'd just have to go along with such legal demands, or withdraw from the relevant country, unless the penalty for not complying was very small.

It will probably become an issue some day. In Australia, for example, courts can issue DNS bans of particular sites to individual ISPs. You can avoid these bans entirely by using a service like Cloudfare DNS.


Or you know you Piss off CloudFare CEO and he directs them to censor a site... Which has happened in the past


Can you cite any source on this?




Exactly. If it's not "the right kind" of content behind a domain, it doesn't even take a court order for CloudFlare to censor it.


that is not censorship.


No, it's not. However it breaks the trust in the Cloud Flares integrity they so proudly mention in this thread. Once they banned something, how can you trust them to not ban something else, perhaps a bit more silently next time?


Are there any other known sites that don't work with 1.1.1.1 but work fine on other resolvers?


Typically, if you experience that, it’s because DNSSEC fails. 1.1.1.1 enforces DNSSEC. As does 8.8.8.8 in most, but not all, cases. Many other DNS resolvers do not enforce DNSSEC. Archive.is (and its directly affiliated sites) are the only exception like this I am aware of. And, to be clear, as a policy the 1.1.1.1 DNS does not block any sites from resolution.


I (random HN user) happen to know of lancaster.ac.uk (there was a comment thread a while back where this was mentioned).


In what way doesn't it work? This is with my ISP's DNS (using which I can visit https://www.lancaster.ac.uk/ in a browser):

  $ host -t a lancaster.ac.uk
  lancaster.ac.uk has address 148.88.65.80
and this is with Cloudflare's:

  $ host -t a lancaster.ac.uk 1.1.1.1
  Using domain server:
  Name: 1.1.1.1
  Address: 1.1.1.1#53
  Aliases: 
  
  lancaster.ac.uk has address 148.88.65.80
Looks the same to me.


This is a problem of the 1^4 resolver not implementing DNAME support (either not a priority, or just in the backlog): https://community.cloudflare.com/t/www-lancaster-ac-uk-not-r...


Thanks for the explanation. One more reason to keep using you instead of anything else.


tl;dr: Don't use 1.1.1.1 if you use any services that use DNS geolocation to bring you resources from the closest datacentre. These include: Office 365, Netflix, Facebook, Google services, ...


Huh, don’t see many CEOs writing and talking like this. And I don’t think a flunky wrote this.


archive.is is a very important tool in online extremism research and you've taken money from far-right extremists, your explanation for why it's inaccessible seems incomplete.

This is probably where I get banned from Hn but it has to be said - to posture as if you care about end users while in the same breath taking money from extremists and turning over personal identifiable information to far-right outlets like DailyStormer, is disingenuous at best and I can think of other ways to describe it which are less charitable.

You also host and protect 8chan.

https://twitter.com/ncweaver/status/1124091916520497153

https://twitter.com/klarajk/status/1122625367490146304

https://twitter.com/Riverseeker/status/1122612031234945024

https://twitter.com/slpng_giants/status/1123592717341200384

https://twitter.com/NathanBLawrence/status/10562868097418199...

https://twitter.com/NJDemocrat/status/897147112273608705

https://twitter.com/InvestMib/status/1123308004873515015

https://twitter.com/jwz/status/1124415034610860033


This is amusing, They Banned the DailyStormer which I why I will never support them. While I disagree 100% with the DailyStormer it is not up to cloudflare to decide who can and can not speak, who can and can not access the internet.

The concept of Free Speech is the most important right we have as humanity, while I may not agree with some peoples words I will fight for their right to say those words

And do not even come at me with "well they are private company" we impose all kinds of regulations on private companies when it comes to basic human rights like free speech and Free Association for example private companies can not refuse service based on race, sex, age, etc.

yet you WANT them to censor content, censor speech. You want them to apply your left authoritarian world view to legal speech, and yes everything you have cited is LEGAL SPEECH in the USA.

If there are actual threats, True Threats as defined in US law, then the police should be involved and the people arrested. If there is defamation or other illegal speech then the courts should be involved

It should NOT be the position of private companies to regulate speech online

Platform Access Is A Civil Right. https://humanevents.com/2019/05/03/platform-access-is-a-civi...


I think you're being downvoted because of the bit about regulation. At least, that is what I choose to believe, because imagine our state of affairs if you are being downvoted because of your comments about the idea of free speech.


Then you are new to HN...

Silicon Valley is full of Authoritarians that believe the Tech Companies should be our overlords and be allowed to choose what "truth" is, and who can revel that "truth" to you


Actually it's the opposite. It's the newer people that are this way [0], for in my day, most people didn't even trust computers, let alone buying things with a computer, or always carrying an always-connected computer with a microphone and multiple cameras in their pocket.

[0] https://www.pewsocialtrends.org/2019/01/17/generation-z-look...


Eastdakotas replies here and in previous threads indicate that his team have more oversight into his own wants and desires. He also writes more about being consistent in actions than they had when he did this action. I think that's a positive way forward. But the person at the top will be the weakest link. If I was a nation state that's where I would be applying the force not at the company level. Maybe he also realised this?


Yes, I want them to censor lies and misleading speech. People or services that feed the public dangerous misinformation should be silenced.

I realize that’s a slippery slope, but I just don’t trust the public to filter for themselves any more.


So who should be the arbitrator of truth? You do understand that I can cite many many many many many examples though out history where actual truth was suppressed, actual advancement was suppressed by those in power.

Free Speech is the most powerful tool Minorities and oppressed people through out the world have to end their oppression, and you just want to strip it away because of fear...

How can you not see how utterly dangerous this idea is, how can you ignore all of human history to believe it is a good idea to suppress speech.

It is not a slippery slope at all, is termination of basic human rights, is the the return to the dark ages, to Totalitarianism.

You hope that be installing a regime of censorship and speech control you will end "lies" and/or "hate" when in reality you will ensure its continued existence and growth while taking away peoples power to challenge it in the open light of public debate


> So who should be the arbitrator of truth? ... Free Speech is the most powerful tool

Generally, an independent judiciary is the arbitrator of truth.

Free speech has never been absolute. Free speech does not protect intentionally false speech. For example, tricking people to give you money is fraud. Libel is too. You can support free speech while also protecting truth. When the issue pops up, a judge determines who's right and wrong.


I can agree with that, in part, what I cant agree with is that CloudFare, Facebook, Twitter, Firefox or any other Tech Company should be in charge of this which is what the OP was asking for.

Almost all of the content the Authoritarian left wants to be banned today the independent judiciary has already ruled many times to be Legal Speech under the US definition of Free Speech


I don't have an answer to who should be the arbiter, but:

> Free Speech is the most powerful tool Minorities and oppressed people through out the world have to end their oppression,

So in order to protect the opressed, we should allow their opressors an equal platform to share their totalitarian views?

The other side(what we currently have) is equally as bad, if not worse. Right now you have a situation where the BBC in the name of "fairness" gives equal air time to a political party who only exist as a protest vote, and they allow for climate change denier to air their views against scientists. Public debate doesn't work based on facts, it works based on emotions, and it doesn't matter how nuanced or level headed your response is, "think of the children" or "the government is trying to suppress our rights" are emotional arguments that consistently Trump facts and reason. Free speech isn't a right for you to have a platform to voice your opinion, it's a right to not have your opinion be suppressed by the government.

I don't have a solution, but at some point you have to accept that tolerance of intolerance is intolerance, and when we're talking about a single incident of a platform that claims Marital Rape is ok [0],and that murdering 50 people because of their religion is "a prank" [1], they are objectively the opressors, not the opressed.

[0] https://dailystormer.name/some-states-want-to-prevent-husban...

[1] https://dailystormer.name/the-difference-between-a-mosque-sh...


>So in order to protect the opressed, we should allow their opressors an equal platform to share their totalitarian views?

Yes. That's one of the founding principles of America. Cloudflare is a common carrier like a telco, not a hosting provider. The content on websites that use them as a CDN shouldn't be paid attention to by Cloudflare one way or another, as long as it's legal. This is their position, and it's the correct and most moral one. You also seem to be missing the fact that Cloudflare famously banned Daily Stormer; the only time they've ever banned any website: https://blog.cloudflare.com/why-we-terminated-daily-stormer/

The best way to empower extremists is by trying to stamp them out. You can never, ever win when your primary weapon is censorship. Fascism thrives and festers in darkness.


>>So in order to protect the opressed, we should allow their opressors an equal platform to share their totalitarian views?

yes, for many reasons. One Should not be celebrating Moving the Cliff of Censorship on the bias of "Dangerous Individuals" like Facebook recently did. [2]

>Free speech isn't a right for you to have a platform to voice your opinion, it's a right to not have your opinion be suppressed by the government.

100% incorrect, Free Speech is a social concept that is often codified into law as through out history governments are the ones that often use the power of censorship to silence dissent, however threats by government is NOT the only threat to free speech.

Free Speech is a cultural value first, it has become a legal articulation based on that cultural value. [2] Platform Access Is A Civil Right, You should now have the same right to speak on Facebook, Twitter, and Instagram that you do in a public park.[0]

If you would not celebrate government censoring opinions you dislike why would you celebrate corporations doing it?

>>I don't have a solution, but at some point you have to accept that tolerance of intolerance is intolerance

The US Supreme Court disagrees with you, you can not fight intolerance by suppression. it has never worked in all of history, it only makes the extremism more extreme and violent. One can make the strong case that the more society pushes these people out of the sunlight the more violent they become, and if they allowed the modern public square, where their idea's would be challenged, debated and debunked there is a high probity there would be LESS violence.

Censorship does nothing but drive extremism under ground allowing it to fester, become more extreme, and then you get violence. This is also true for other forms of Censorship. Take for example the recent bills to "stop human trafficking" by censoring platforms and making them liable for it. Did it actually stop any human trafficking... No, all it did was drive it under ground making it harder for law enforcement to track and stop, while suppression lots of legitimate speech, had massive negative effects on voluntary sex workers, and untold other unintended consequences. This censorship was a net negative both in its stated goal, and for freedom in general. It accomplished nothing but taking the rights away from people.

Once your Nation has a "Chief Censor" [1] you know you have gone away from anything that could be considered Free Speech

[0] https://humanevents.com/2019/05/03/platform-access-is-a-civi...

[1] https://youtu.be/QH_IZnKzqKA?t=68

[2] https://www.youtube.com/watch?v=GOwJz1p6aag


You don't trust the public to filter for themselves but you trust them to elect politicians or judges that will get to filter for you?

The logical extension of your argument is the public not trustworthy enough to even choose their leaders.

Free speech isn't a danger to democracy, thinking like this is.


race, sex, age, etc.

Where does daily stormer fall in the “etc.” part?


Never said it did, etc was in reference to other protected classes in the list which vary by state.

Many states, including California, have political ideology has a protected class as well.

IMO companies run a foul of that when they start banning people for subjective ideology based reasons like "hate speech" which is not illegal in the US, and is every much based in political ideology to make the determination as to what is "hate".


I think the tone of this comment as "courageous" is especially humorous coming from a throwaway account.


Anonymity online. If you have nothing to hide you have nothing to fear.


I'm far from courageous, in fact I'm scared because these groups regularly DoX those who draw attention to this pressing issue:

https://thenextweb.com/opinion/2018/07/17/the-daily-callers-...

http://www.sfweekly.com/news/daily-caller-doxxes-the-s-f-guy...

Journalist like Robert Evans are courageous: https://www.bellingcat.com/news/americas/2019/04/28/ignore-t...

Researchers like Whitney Phillips are courageous https://www.wired.com/story/existential-crisis-plaguing-onli...

I'm just disgusted.


Encrypting dns is bad for end users. Please cut this shit out. You are acting like you are defending against the NSA, but in reality we will have a bunch of shitty IoT phoning data to indecipherable IP addresses without any meaningful defense of consumer privacy.

It is hostile to customers who want to troubleshoot wtf apps are doing.


Normal DNS queries aren't encrypted. It's normal queries on port 53.

Users/programs/IoT can choose to use DNS-over-TLS or DNS-over-HTTPS, but that's not Cloudflare's fault.


Nothing in his response is about encrypting DNS. Go grind your axe elsewhere.


In my country, government/ISP blocks websites and changes the DNS results of 8.8.8.8 since it is not encrypted. If ISP can create a valid certificate, that browsers trust [1], they may be able to access my Gmail or Github account.

[1] https://www.zdnet.com/article/mozilla-to-chinas-wosign-well-...


The problem is the archive.is (and other TLDs) server not returning any Good IP if the EDNS client subnet isn't present.

Would like to point out that Cloudflare's resolver is EDNS compliant, it just doesn't send the client subnet.

See: https://twitter.com/archiveis/status/1018691421182791680 (picture of tweet https://aws1.discourse-cdn.com/cloudflare/optimized/3X/8/2/8... )

Based on that tweet, the owner has a personal grudge against Cloudflare and is choosing to return bad results.


I take back every bad thing I have ever said about mailing lists - at least it was easier to follow the drama than these damn twitter links.


My issue with mailing lists is the browsing experience. It's very difficult to view conversations, especially compared to Gmail's threaded view. Seems like something an open source project could solve!


Text of tweet by @archiveis:

"Having to do" is not so direct here. Absence of EDNS and massive mismatch (not only on AS/Country, but even on the continent level) of where DNS and related HTTP requests come from causes so many troubles so I consider EDNS-less requests from Cloudflare as invalid.


For additional context, here is the Cloudflare explanation about EDNS client subnets:

> EDNS Client Subnet > >1.1.1.1 is a privacy centric resolver so it does not send any client IP information and does not send the EDNS Client Subnet Header to authoritative servers.

Cloudflare's requests are of course perfectly valid, with @archiveis actively deciding not to service them.


It has nothing to do with privacy, as the next thing following DNS resolution is establishing a TCP connection which always leaks full IP address to the same person or organization controlling authoritative servers. Basically EDNS is just a convenient way for DNS-based CDNs to provide a better edge node. But this is directly competing with Cloudflare, so Cloudflare invents excuses not to implement something that helps other CDNs.


See the CEO's comment: https://news.ycombinator.com/item?id=19828702

> We’re aware of real world examples where nationstate actors have monitored EDNS subnet information to track individuals, which was part of the motivation for the privacy and security policies of 1.1.1.1.

So it's not just "Cloudflare benefits from pushing anycast" (even if that's part of it).


So, what he claims is that state actors monitor traffic at certain locations, extract subnet information from DNS packets that only large centralized DNS resolvers include when query some authoritative servers that where probed to support that feature. That subnet is not a subnet of an end user IP address, but an IP address of a recursive resolver of that user's ISP. They have to correlate that information with a connection made from that ISP to a web server to track the user. What 1.1.1.1 brings here? State actors now can correlate an actual IP address sending data to 1.1.1.1, with a clear text DNS query going out of it, making tracking more reliable and simple and worse for privacy. And still worse for other CDNs.

Don't take Cloudflare's PR seriously, they are completely full of it. They used to be more honest, but those days are long gone.


1.1.1.1 supports dns/https. It is entirely possible to make a request to 1.1.1.1 for an ip and have nobody be able to know what you made the request for.

There is no guarantee the name server they are querying is the same as the server in the A result, and the idea is to reduce the number of points where people other than the A result and the client know that they plan to talk to each other.

It's not bullshit.


> There is no guarantee the name server they are querying is the same as the server in the A result

That's ok. Let me try to explain a bit more:

Queries to 1.1.1.1 are going over public internet. And even though they are encrypted, they also carry metadata with them, including IP addresses of who is doing them, precise time, rough size, various OS specific stuff, etc. And packets going out to authoritative servers from 1.1.1.1 are in clear text. There is a very tiny window of possible queries out of 1.1.1.1 for encrypted data coming in from some IP address and therefore only a tiny number of possible responses from authoritative servers. Given that and enough intercepted data all over the world it is easy to correlate clear text DNS responses with IP addresses or who got responses from cache and on which popular website ended up, etc.


Not quite as easy as when you just have to intercept traffic at one of the intermediate nodes though, it seems.

I think that makes the privacy argument a fairly valid thing.


You seem to misunderstand it. There are less points to intercept traffic at with 1.1.1.1, than without it. Much more feasible to spy on a massive scale, much less privacy and usefulness of client subnet EDNS option completely disappears. In 1.1.1.1 case it's literally irrelevant for privacy whether they do it or not. 1.1.1.1 already hurts privacy massively and not passing client subnet only hurts competing CDNs.


This is no longer a factual discussion. You mention two separate issues:

1. Use of EDNS client subnet information harms user privacy, by providing information that would not otherwise be there.

2. Many users on a single global DNS provider lowers the amount of points that needs to be attacked to obtain DNS information.

However, you position your statement as if #2 somehow render #1 moot, which is an entirely subjective evaluation from the perspective of a user, and also not at all relevant to the discussion of #1, as that on its own is not 1.1.1.1 specific.

For an example of why this is very subjective, the user may believe that the security of ISP DNS servers is likely not trustable, and that infiltrating countless ISP DNS services would likely be much less work than infiltrating one of the larger providers, such as 1.1.1.1, with better security practices.

The only things relevant to this discussion is whether or not it is sensible to respond with bogus data to a valid request that does not contain optional fields, and separately whether or not it is sensible for a DNS provider to not contain these fields.


That's not true.

Many setups proxy everything but dns traffic.

That's why this topic is a thing.

https://trac.torproject.org/projects/tor/wiki/doc/Preventing...


> the next thing following DNS resolution is establishing a TCP connection which always leaks full IP address to the same person or organization controlling authoritative servers

Depends who runs the authoritative servers - if you hit the authoritative DNS services for most of my domains, you are providing your information to 123-Reg (or, increasingly, Google), if you start a TCP connection, you are providing it to me.


The fallback should be to do GeoDNS based on the resolver's IP. In case of Cloudflare that's certainly good enough, since they've got 150+ POPs.


> requests come from causes so many troubles

Given they serve their pages over tor, I don't buy that explanation at all. Assuming location of client == location of CloudFlare source would give them a rough match in most cases. In tor they're almost guaranteed to be wrong.


Ah yes, the huge trouble of a website that is a few MS slower as opposed to just not working at all.

I’m not sure I see what kind of logic goes into this argument.


Furthermore let's see this report:

https://ednscomp.isc.org/ednscomp/6ed2aca587

EDNS Compliance Tester says that archive.is has some issues.

https://dnsflagday.net

> Minor problems detected! > This domain does not support latest DNS standards.


Could they send "generic" subnet or even better could they let user choose the subnet?


For those curious about what is going on here...

Cloudflare has decided for privacy reasons they will not relay eDNS0 client subnet data - which yes, can reveal a portion of the IP of the requestor - but is used by CDN services in order to provide nearest servers or (in some cases) country specific content.

My guess here is archive.is feels they have some need to restrict what content is provided to where in the world, and as a result, without ECS in the request, takes you to a cname which essentially null routes you back to your local loop interface.

Source: Founder of DNSFilter.com - we support ECS, I coded it.


>My guess here is archive.is feels they have some need to restrict what content is provided to where in the world

Couldn't that be done later, by blocking the actual HTTP TCP connections instead of blocking the DNS requests? Maybe it's an efficiency issue, that they want the higher-efficiency blocking by DNS rather than lower-efficiency blocking during HTTP TCP, but that seems a little strange to me.


This has been a known issue for a while.

Unfortunately, Archive.is has to fix it from their nameservers and we cannot do anything from our side. You can ready more about it here: https://community.cloudflare.com/t/archive-is-error-1001/182...

Disclaimer: I work at Cloudflare


The person or persons running the site have a history of very stubborn behaviour. I do appreciate the service they are running.

One time they blocked the whole Finland because the owner had problems with customs and somehow related the incident with Russia while saying Finnish gov and bur businesses can never be independent.


Archive.is is very interesting. I was checking and they block (by responding back with 127.0.0.3):

- 1.1.1.1

- Neustar DNS

- AdGuard DNS

But they don't block Quad9 or CleanBrowsing that also do not send the EDNS subnet. Very curious way of blocking itself out of the Internet. OpenDNS blocks it (sends to their block page):

https://dnsblacklist.org/?domain=archive.is

Would love to hear from someone from archive.is what is going on.


I remember reading this a while back. It sounded more that archive.is was blocking Cloudflare (or at least not supporting it): https://community.cloudflare.com/t/archive-is-error-1001/182...


Does anyone know why archive.is would block Cloudflare? Is it a technical issue, or does the owner of archive.is have some kind of grudge against them?


Cloudflare uses "privacy" and "caring about users" as excuses to sabotage competing CDNs (including whatever CDN is used by archive.is).

Most recursive DNS severs on Internet can be categorized in two groups: local DNS servers, offered by Internet providers to their users, and enormous "generic" DNS like Google's 8.8.8.8. When someone makes a DNS request to those servers, they will in turn forward it to DNS servers of web page you are requesting. Content Delivery Networks use DNS to determine, which server should serve your request: if your DNS request arrived from Africa, CDN's DNS server will return IP in Africa. Of course, _users_ don't send DNS requests to CDN's server — recursive DNS servers do. In the past almost everyone used DNS, offered by their Internet provider, — CDN's had to use GeoIP or even static lists of providers to determine origin of that request. When world-wide DNS servers like Google's 8.8.8.8 started to gain popularity, that approach was broken, so EDNS was developed.

Cloudflare is a CDN. They are selling their CDN services for money. At the same time they are encouraging end users to use free DNS server, that does not support EDNS on purpose (they admit so on their website). In effect they are creating a situation, when competing CDNs are at disadvantage and can't determine, what country user comes from. Cloudflare itself does not suffer from that disadvantage, because they control both 1.1.1.1 and DNS, used by their clients' websites.


I think your accusations are factually incorrect. EDNS was created back in 1999 (RFC2671[0]) waaaaay before Google's 8.8.8.8 in 2009.

And Cloudflare is EDNS-compliant. They simply choose not to enable the optional EDNS extension released in 2016 for sending the client subnet for privacy reasons.

Here's what RFC7871 – Client Subnet in DNS Queries[1] says about itself (emphasis mine):

This document defines an EDNS0 [RFC6891] option to convey network information that is relevant to the DNS message. It will carry sufficient network information about the originator for the Authoritative Nameserver to tailor responses. It will also provide for the Authoritative Nameserver to indicate the scope of network addresses for which the tailored answer is intended. This EDNS0 option is intended for those Recursive Resolvers and Authoritative Nameservers that would benefit from the extension and not for general purpose deployment. This is completely optional and can safely be ignored by servers that choose not to implement or enable it.

As far as I know, the standard practice, before this optional EDNS extension was to do GeoDNS based on the resolver's IP. This works just fine, including in the case of Cloudflare, since they've got 150+ POPs with each resolving on their own. That's higher density than most CDNs.

[0]: https://tools.ietf.org/html/rfc2671

[1]: https://tools.ietf.org/html/rfc7871


Hard to tell from the outside, but archive.is did blacklist the whole of Finland a while back - due to personal grudge.


Who runs archive.is? Sounds childish without knowing any of the facts.



Looks like it's a known issue https://community.cloudflare.com/t/archive-is-error-1001/182..., yet not been fixed for at least a year


In response to that "unfixed" issue, they noted - in a timely manner, last year - that archive.is is returning bad IPs to them, which is preventing them from serving good IPs:

https://community.cloudflare.com/t/archive-is-error-1001/182...

> Nameservers responsible for archive.is (ben.archive.is, anna.archive.is) are returning answers tailored to the IP address of the requestor.

And indicate that anyone who knows how to contact archive.is can ask them to resolve the issue:

> If you have a contact on the domain owner, you can ask them to fix this.

EDIT: This is knowingly blocked by archive.is. Reasoning and discussion elsewhere in post comments. No need to contact archive.is about it, they’re clearly aware.


Just like we consider it the kernel's fault if user applications break due to a change, I think it's the DNS resolver's fault if they're using a protocol that some popular sites don't support.

As soon as I realized they were causing this issue I just switched away. Other DNS providers don't have this issue.


It doesn’t really seem to be the resolvers “using a protocol that [archive.is] doesn’t support”; it seems that archive.is responds to queries from Cloudflare’s systems with an incorrect response. How is Cloudflare meant to work around that kind of behavior?


https://twitter.com/archiveis/status/999788186904576002 claims that cloudflare isn't supporting a protocol that would enable it to work with their servers.


That’s not an accurate read of archive.is’s behavior. EDNS is an optional feature.

archive.is has configured their nameservers to return invalid (127.0.0.0/8, from the looks of it) responses to Cloudflare requests because they’re protesting Cloudflare’s lack of EDNS, not because EDNS is somehow required to handle the requests.

For context: EDNS sends the origin IP address of the DNS client through the resolver. Cloudflare has it disabled because of the privacy implications of sending it along.


The right thing for cloudflare to do then is fake the EDNS field so that they get a valid response.

Maybe cloudflare doesn't want to code an ad-hoc solution just to fix one site. But that doesn't matter to the customer, who just wants it to work.


This diverges pretty hard from your earlier comparison, between this scenario and the Linux kernel breaking userspace.

If a dev updates their code so it won’t run unless an kernel flag is enabled, the kernel hasn’t broken userspace, and kernel devs are unlikely to add a “fake-enabled-flag” to trick the userspace program, even if it’s popular.

Likewise, I don’t expect my DNS resolver to add in custom behavior if upstream DNS servers make breaking changes like this. In fact, I very much prefer the opposite: my DNS service should be as dumb as possible. I don’t want it making choices about how to modify DNS queries I do, or their results.

If an upstream site broke their DNSSEC config, would you lobby for Cloudflare to modify the results so resolution succeeded for their users?


Besides, my reading is:

Every other resolver supports EDNS

Archive.is only works with resolvers that support EDNS

Cloudflare decided not to support EDNS

That itself is a defendable decision but I do feel for a popular site they could implement some sort of fix.


    dig @carl.archive.is archive.is A +noedns
responds 134.119.220.26

    curl http://134.119.220.26 -H 'Host: archive.is' -v
responds with HTML of the site.

I'm not a dig expert, but I believe this means it works without EDNS. I think that means archive.is is specifically blocking Cloudflare's servers, not blocking all non-EDNS requests.


Notably, Level3 and Hurricane Electric both appear to not use ECS, and archive.is resolves properly from those. Which seems to clarify that this isn’t a technical requirement for archive.is to work, it’s an intentional protest by the archive.is operators against Cloudflare.


Cloudflare does support EDNS. They just don't forward the client's subnet due to being privacy-oriented, doing which is optional and perfectly valid.


They need something that works for all sites.


If every other resolver works, then I expect Cloudflare to work.

The kernel hardcodes plenty of hacky things to get specific hardware to work.


When the Linux Kernel hardcodes an "acceptable DNS resolver" list into net/, then that argument might be valid, but for now, it isn't.

Archive.is operators are throwing a temper tantrum. It isn't in Cloud Flare or anyone else's best interest to appease them.


Archive.is does not appear to specify in detail what operational issues result from the missing client subnet EDNS data. We can speculate, though. Is it for data harvesting purposes, or for global load balancing concerns? Are users complaining due to some unknown side effect? Are localized in-country-firewall servers receiving traffic from out-country clients?


>"it seems that archive.is responds to queries from Cloudflare’s systems with an incorrect response."

What makes the response incorrect? I was under the impression that DNS implementations were under no "practical" obligation to return consistent queries to differing requester IP addresses (hence stuff like split-horizon DNS and EDNS: https://developers.google.com/speed/public-dns/docs/ecs )


Sorry, to clarify: when archive.is receives a DNS lookup from Cloudflare’s resolvers, they reply with an IP in the 127.0.0.0/8 range, so the origin client is unable to connect (since those IPs aren’t routable over the internet).


Thanks for the clarification on here + and the other posts, that makes perfect sense.


It is deliberately invalid.


Cloudflare DNS does not support EDNS Client Subnet[1], so archive.is returns invalid IP address for Cloudflare IPs[2]

[1] https://developers.cloudflare.com/1.1.1.1/nitty-gritty-detai...

[2] https://twitter.com/archiveis/status/1018691421182791680


So much talk about DNS and no one suggested simple workaround for this :-) If anyone wants to use 1.1.1.1 and still access arhive.is, simply add this line to your /etc/hosts file.

134.119.220.26 archive.is



Why doesn’t archive.is return a valid alternate IP for DNS queries that don’t have the EDNS0 information? They can host an apology page on that IP that tells the user why they aren’t getting the content they are looking for and suggest solutions for using a different open DNS service if the user is willing to use one that provides their client subnet.


I don't get why people use 1.1.1.1 8.8.8.8 etc, for more then debugging. Why tell Google et.al about every site you visit !? And get slightly slower, less accurate and less resilient DNS lookups ...


Many people are otherwise using their ISP's DNS servers, which are often even worse with regards to performance and reliability. Long ago I did tech support for an ISP, and I'd say that 9/10ths of our "outages" were due to our overworked ancient DNS servers failing. I'd go off-script when I took calls during those kinds of outages, and just help people set 4.2.2.2 in their router's DNS settings the moment I saw a strong signal in the line test and hosts not resolving. Managers made snide comments about that not being the official procedure and "not displaying confidence in $ISP", but it fixed the problem.


Because what you get is often faster, more accurate and more resilient compared to the junk DNS run by most ISPs.

And because most site visits start with a Google search anyway.

And finally, because I am comfortable with their privacy statement : https://developers.google.com/speed/public-dns/privacy


I live in New Zealand where all the ISPs and mobile carriers provide fast and reliable DNS resolvers. I've looked into switching to alterntive DNS providers but every one of them are slower than my ISP's resolver. I'm aware that the sitation is quite different in the US and certan other countries, but I wish more Americans were aware that junk ISP-provided DNS servers seem to be an issue exclusive to certain countries (such as the US). I think it would be an intrerestin exercise to figure out why they occur in certain countries and not in other countries.


Sorry - I should have been clear. I am from India - and the ISPs here are quite bad. I have no idea about the USA ISPs.


Because in certain countries the ISP has to respect the legal regulations and so the DNS server provided/defined by each provider will block/redirect certain web sites. These could be torrent trackers, subtitle distribution sites, political and/or religious sites and so on... In some parts of the world alternate DNS servers allow people to access all sites :-)


Not to mention that some ISPs redirect users to pages full of ads when a domain doesn't exist or use DNS to MITM users and inject ads into pages.


I use it because I'd rather tell Google than my government, which is not on friendly terms with either US or Google.


I’m curious. What DNS server do you use? Or do you just memorize the IPs of the websites you want to visit? :P


you can run PowerDNS Recursor locally (or any DNS non stub resolver).

it's not that slower.


Cloudflare returns a proper response for me.

  nslookup archive.is 1.1.1.1
  Server:  1.1.1.1
  Address: 1.1.1.1#53

  Non-authoritative answer:
  Name: archive.is
  Address: 134.119.220.26


    dig @1.1.1.1 archive.is
    
    ; <<>> DiG 9.14.1 <<>> @1.1.1.1 archive.is
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46862
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0,     ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 1452
    ;; QUESTION SECTION:
    ;archive.is.                    IN      A

    ;; ANSWER SECTION:
    archive.is.             2998    IN      A       127.0.0.4

    ;; Query time: 52 msec
    ;; SERVER: 1.1.1.1#53(1.1.1.1)
    ;; WHEN: Sat May 04 21:03:36 CEST 2019
    ;; MSG SIZE  rcvd: 55

    dig @8.8.8.8 archive.is

    ; <<>> DiG 9.14.1 <<>> @8.8.8.8 archive.is
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5893
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0,     ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; QUESTION SECTION:
    ;archive.is.                    IN      A

    ;; ANSWER SECTION:
    archive.is.             299     IN      A       94.16.117.236

    ;; Query time: 79 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Sat May 04 21:04:28 CEST 2019
    ;; MSG SIZE  rcvd: 55


It's possible your ISP is intercepting all traffic for port 53 and sending it to their own nameservers (which do send client subset) instead of you actually taking to cloudflare's 1.1.1.1 at all.


Links for documented instances of this practice?


I don't know of any particular popular concrete instance, but why is it hard to believe? It's trivial to implement and would be brought to you by the same people who think serving ads for NXDOMAIN is a good idea.

https://www.dnsleaktest.com/what-is-transparent-dns-proxy.ht...


That link was useful, thank you. I don't find it hard to believe technically, but it strikes me as a fundamentally different practice than what I'd head of before. If I request for traffic to go to a certain IP, I expect it to be sent to that IP. MITMing and manipulating that traffic is bad, but not delivering it at all is qualitatively different. I suspect it could be grounds for a serious civil or criminal action.


I can confirm we run across transparent dns proxying with customers at DNSFilter all the time. Mobile carriers are the worst for doing this.

A few days ago it was a customers compromised router doing it.


I have personal witnessed this happening with Wind-Infostrada in Italy. DNS spoofing was done through the ISP provided fiber modem/router though, not at the ISP level; if you actually changed the DNS servers on the router than it would send all your queries to those routers instead of the ISP ones.

I couldn't figure out if this was plain incompetency, an attempt to enforce DNS-based website blocking, or some programmer willfully implementing the latter with the former so that it would be reasonably easy to circumvent.

Also Italian residential providers really, really like to mess with NXDOMAIN instead returning a helpful error page with affiliate links instead. You might think you can imagine how much shit this breaks; you probably don't.



ISPs in several countries I've been to do this to blacklist "objectionable" sites (which apparently includes reddit now) at the DNS level. Turning on DNS-over-HTTPS solves that.


If you don't mind could you look through: https://ooni.torproject.org/about/risks/

And if they sound acceptable run https://ooni.torproject.org/install/

It'll show you more about likely interception of your traffic.


Not for me:

    Server:  1.1.1.1
    Address: 1.1.1.1#53

    Non-authoritative answer:
    Name: archive.is
    Address: 127.0.0.4


https://developers.cloudflare.com/1.1.1.1/nitty-gritty-detai...

>EDNS Client Subnet

>1.1.1.1 is a privacy centric resolver so it does not send any client IP information and does not send the EDNS Client Subnet Header to authoritative servers.

What does this mean?



In Firefox I'm using DNS over HTTPS ( https://mozilla.cloudflare-dns.com/dns-query ) and there is no issue accessing archive.is. Actually I wanted to query archive.is manually but I don't know how to do it in DoH.


Firefox is likely falling back to your local resolver (the default) when it can't find a domain.


archive.org works fine with 1^4. What is the advantage of using archive.is?


Archive.org, the Internet Archive, and archive.is, a webpage capture service that seems to have a primary name of "Archive.today", are wholly separate concerns, offerring different services.


Interesting, I thought archive.is was an alternate domain of the Internet Archive, but it seems they are completely different people[1].

[1] https://en.wikipedia.org/wiki/Archive.today


Yes, but what is the difference between the two? That's really my question. Sorry if it wasn't clear.


Because you usually want to use the service that has the snapshot you want to view. And that isn't always archive.org. But it is my first place to go as well.


oh I thought my local pdns instance was misconfigured.. interesting


[flagged]


"Eschew flamebait. Don't introduce flamewar topics unless you have something genuinely new to say. Avoid unrelated controversies and generic tangents."

https://news.ycombinator.com/newsguidelines.html


...you know that Cloudflare terminated their service, right?

https://blog.cloudflare.com/why-we-terminated-daily-stormer/


And even if they hadn't, how would that make them "Nazi-friendly"? I've always supposed Cloudflare is meant to be neutral. They only kicked out DS because they were stupid enough to pretend CF was endorsing them.

And well, in any case this is unrelated to this thread...


I tried Cloudflare's DNS for a week or so and noticed lots of sites that were blocked. I ended up creating my own DNS server that I run on a VPS.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: