Archive.is’s authoritative DNS servers return bad results to 184.108.40.206 when we query them. I’ve proposed we just fix it on our end but our team, quite rightly, said that too would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service.
The archive.is owner has explained that he returns bad results to us because we don’t pass along the EDNS subnet information. This information leaks information about a requester’s IP and, in turn, sacrifices the privacy of users. This is especially problematic as we work to encrypt more DNS traffic since the request from Resolver to Authoritative DNS is typically unencrypted. We’re aware of real world examples where nationstate actors have monitored EDNS subnet information to track individuals, which was part of the motivation for the privacy and security policies of 220.127.116.11.
EDNS IP subsets can be used to better geolocate responses for services that use DNS-based load balancing. However, 18.104.22.168 is delivered across Cloudflare’s entire network that today spans 180 cities. We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results. For a relatively small operator like archive.is, there would be no loss in geo load balancing fidelity relying on the location of the Cloudflare PoP in lieu of EDNS IP subnets.
We are working with the small number of networks with a higher network/ISP density than Cloudflare (e.g., Netflix, Facebook, Google/YouTube) to come up with an EDNS IP Subnet alternative that gets them the information they need for geolocation targeting without risking user privacy and security. Those conversations have been productive and are ongoing. If archive.is has suggestions along these lines, we’d be happy to consider them.
I hesitate to compare this to Apple calling themselves “courageous” when removing the headphone jack, but in this case, I think the word is appropriate. I’ll happily stand behind you guys if you take some PR hits while forcing the rest of the industry to make DNS safer – since it is understandable, admittedly, for users to conclude that “Cloudflare is blocking websites, sound the alarms!” at first glance.
Your boss is talking about not "violating the integrity of DNS" and presents this case where upstream archive.is name servers return unexpected data. He proposes that CloudFlare cannot "just fix it" because doing so "would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service". However, Cloudflare chose to "just fix it" back then by "slapping a bandaid" on something your team saw as a problem instead of abiding by the proper change process. And Cloudflare did so not because of some critical security flaw, but as a cost-cutting measure.
Even if we limit what it means to "violate the integrity of DNS" to the first definition mentioned above (and completely ignore this second definition), Cloudflare "slapped a bandaid" on a PR problem it had a couple of years ago and decided to "just fix it" and "block a domain" by removing the domain and its assets from Cloudflare's infrastructure. 
Cloudflare has "violated the integrity of DNS" on more than one occasion using more than one of its own definitions.
Cloudflare "MUST" either adhere to the specification and its change process, or not adhere to the specification and its change process. Cloudflare "CANNOT" choose for both of these statements to be true, and one of them constitutes "violating the integrity of DNS".
(This is not meant to suggest that archive.is's DNS response is appropriate, or that CF's setup is inappropriate.)
(Just to check my understanding of ECS: it's an extension to DNS that sends the user's subnet in the request, and gets relayed with the request, s.t. an authoritative server can respond with a geo-location appropriate response/IP.)
That assumes that the nameserver and the actual server are run by the same party which quite often is not the case.
Cloudflare can check if nameserver and the actual server are run by different parties, and if so omit subnet information from EDNS response. It is not hard to implement — Google and OpenDNS used to require manual whitelisting to receive EDNS subnet responses (not sure if they still do).
Cloudflare's CDN leaks user's full online identity to Google via reCaptcha, especially when you use Tor. Maybe they should ask Google to be satisfied with client's subnet too?
Since HTTPS traffic already reveals communicating IPs to nation-state actors, could you clarify what attack vector removing user IP info from authoritative DNS queries protects against?
In what way does Cloudflare publish its PoP geolocation? Is it a Cloudflare-specific API? Why not fake EDNS subnet info by providing the PoP’s?
I notice of course that Google, Facebook, and Netflix still work on 22.214.171.124. Does this mean they’re currently using Cloudflare PoP geolocation in lieu of EDNS subnet information?
CloudFlare decided its DNS should be the authority to the end user and Archive.is's DNS should be the authority only to CloudFlare. CloudFlare is breaking the bond between the end user and the Service provider.
What CloudFlare is doing is centralizing authority to itself rather allowing authority to be distributed to all owners of the domains as intended. An argument can be made that by using 126.96.36.199 you are granting CF permission to act in this role - some users may even prefer it.
Cloudflare simply is making a subversive play against their competitor CDNs. Client subnet of a DNS request is used for initial rough mapping by Cloudflare competitors such as Akamai (definitely) and I believe Fastly ( and probably others) . Stripping it easily adds at least a few milliseconds to the time to first byte and most likely results a request re-routing on the second or third request.
After all, no other CDN is operating a well used public resolver.
The irony is one.one.one.one is marketed as getaway to faster internet, while making CDNs that use GeoDNS slower.
All it takes is a bad route to a far away cloudflare POP to make your internet really slower. Case in point. 
I really don't find why no EDNS is considered private, as it only sends the IP subnet. And on IPv6 the IP is far more protected.
If you care that much about privacy, you should be using a VPN.
Another point; if you care about privacy, why use a 3rd party resolver that you have to "trust"?
Use the ISP resolver; they can see all your traffic anyway if they want to.
Alternatively, cut out all the middle men and run your own recursive resolver. It's not complicated to do so, there's other software than Bind for doing so.
The operator of archive.is claims that they suffer from a "massive mismatch" between those query IPs and actual traffic. Any idea why? [Is that claim wrong? Is archive.is to blame? Is cloudflare to blame? Are ISPs badly routing the DNS queries?]
Do you have stats on how well the geolocation works in practice?
The current effect is I stop using 188.8.131.52 when I need archive.is (often) and set it back the next time I’m messing with my network settings.
As an aside, I used to think that when Emerson said that “a foolish consistency is the hobgoblin of little minds” he meant that we were foolish to try and be consistent. Increasingly I wonder if instead he meant that when you’re trying to reason with people who may not have the same detailed knowledge of a problem as you, there’s an enhanced importance to being consistent. Unfortunately, most policy makers globally don’t have a detailed understanding of how technical systems like DNS work, so we think it’s especially important we be consistent.
184.108.40.206 does not send EDNS ECS data, specifically because of the privacy concern. So the hypothetical secondary resolver would need to send that data, for people who aren’t concerned about the privacy implications / want to get to archive.is.
Given CloudFlare’s stated message of prioritizing privacy, it seems unlikely they’d stand up infrastructure that behaved like 220.127.116.11 except that it leaked more private information.
You'll need to add a hosts file to your iCloud Drive.
Although, I believe Cloudflare DNS app on iphone uses a VPN iOS API to do it's thing, so it should be possible to put dnsmasq-like functionality into an iOS app. I don't know if this exists already.
"Earlier today, Cloudflare terminated the account of the Daily Stormer. We've stopped proxying their traffic and stopped answering DNS requests for their sites. We've taken measures to ensure that they cannot sign up for Cloudflare's services ever again."
I'll keep using non-logging, encrypted OpenNIC servers, since you seem to selectively censor instead of only blocking terrorists and cp.
The Daily Stormer is free to get their business elsewhere and it's still up on the internet. Cloudflare didn't want to be associated to this kind of content, and thus terminated their business relation.
We don't NEED Cloudflare to keep the internet integrity (if we did, it will go pretty badly...) but we do need DNS to keep the internet integrity.
> I'll keep using non-logging, encrypted OpenNIC servers, since you seem to selectively censor instead of only blocking terrorists and cp.
Why are you censoring Cloudflare? /s
CloudFlare is very basic infrastructure and there are a handful of companies providing such infrastructure, thus a group can be effectively deleted from the Internet if these companies decide or are pressured to do so. (Example of pressuring: Patreon dropped some accounts at the behest of Mastercard.)
So maybe the real question is, "does this notion of the integrity of DNS extend to other basic infrastructure services?"
Imagine it's HTTP, and the site sent a 404 to your proxy, but you knew it generally sent a 200 to other proxies, what should you do? Send the 404, or override it with your own status code? Cloudflare is saying they are not OK with overriding codes.
Such a post might A) get better SEO than an HN thread for 'cannot access archive.is [or ...]' and B) help change its behaviour.
I assume they'd just have to go along with such legal demands, or withdraw from the relevant country, unless the penalty for not complying was very small.
It will probably become an issue some day. In Australia, for example, courts can issue DNS bans of particular sites to individual ISPs. You can avoid these bans entirely by using a service like Cloudfare DNS.
$ host -t a lancaster.ac.uk
lancaster.ac.uk has address 18.104.22.168
$ host -t a lancaster.ac.uk 22.214.171.124
Using domain server:
lancaster.ac.uk has address 126.96.36.199
This is probably where I get banned from Hn but it has to be said - to posture as if you care about end users while in the same breath taking money from extremists and turning over personal identifiable information to far-right outlets like DailyStormer, is disingenuous at best and I can think of other ways to describe it which are less charitable.
You also host and protect 8chan.
The concept of Free Speech is the most important right we have as humanity, while I may not agree with some peoples words I will fight for their right to say those words
And do not even come at me with "well they are private company" we impose all kinds of regulations on private companies when it comes to basic human rights like free speech and Free Association for example private companies can not refuse service based on race, sex, age, etc.
yet you WANT them to censor content, censor speech. You want them to apply your left authoritarian world view to legal speech, and yes everything you have cited is LEGAL SPEECH in the USA.
If there are actual threats, True Threats as defined in US law, then the police should be involved and the people arrested. If there is defamation or other illegal speech then the courts should be involved
It should NOT be the position of private companies to regulate speech online
Platform Access Is A Civil Right.
Silicon Valley is full of Authoritarians that believe the Tech Companies should be our overlords and be allowed to choose what "truth" is, and who can revel that "truth" to you
I realize that’s a slippery slope, but I just don’t trust the public to filter for themselves any more.
Free Speech is the most powerful tool Minorities and oppressed people through out the world have to end their oppression, and you just want to strip it away because of fear...
How can you not see how utterly dangerous this idea is, how can you ignore all of human history to believe it is a good idea to suppress speech.
It is not a slippery slope at all, is termination of basic human rights, is the the return to the dark ages, to Totalitarianism.
You hope that be installing a regime of censorship and speech control you will end "lies" and/or "hate" when in reality you will ensure its continued existence and growth while taking away peoples power to challenge it in the open light of public debate
Generally, an independent judiciary is the arbitrator of truth.
Free speech has never been absolute. Free speech does not protect intentionally false speech. For example, tricking people to give you money is fraud. Libel is too. You can support free speech while also protecting truth. When the issue pops up, a judge determines who's right and wrong.
Almost all of the content the Authoritarian left wants to be banned today the independent judiciary has already ruled many times to be Legal Speech under the US definition of Free Speech
> Free Speech is the most powerful tool Minorities and oppressed people through out the world have to end their oppression,
So in order to protect the opressed, we should allow their opressors an equal platform to share their totalitarian views?
The other side(what we currently have) is equally as bad, if not worse. Right now you have a situation where the BBC in the name of "fairness" gives equal air time to a political party who only exist as a protest vote, and they allow for climate change denier to air their views against scientists. Public debate doesn't work based on facts, it works based on emotions, and it doesn't matter how nuanced or level headed your response is, "think of the children" or "the government is trying to suppress our rights" are emotional arguments that consistently Trump facts and reason. Free speech isn't a right for you to have a platform to voice your opinion, it's a right to not have your opinion be suppressed by the government.
I don't have a solution, but at some point you have to accept that tolerance of intolerance is intolerance, and when we're talking about a single incident of a platform that claims Marital Rape is ok ,and that murdering 50 people because of their religion is "a prank" , they are objectively the opressors, not the opressed.
Yes. That's one of the founding principles of America. Cloudflare is a common carrier like a telco, not a hosting provider. The content on websites that use them as a CDN shouldn't be paid attention to by Cloudflare one way or another, as long as it's legal. This is their position, and it's the correct and most moral one. You also seem to be missing the fact that Cloudflare famously banned Daily Stormer; the only time they've ever banned any website: https://blog.cloudflare.com/why-we-terminated-daily-stormer/
The best way to empower extremists is by trying to stamp them out. You can never, ever win when your primary weapon is censorship. Fascism thrives and festers in darkness.
yes, for many reasons. One Should not be celebrating Moving the Cliff of Censorship on the bias of "Dangerous Individuals" like Facebook recently did. 
>Free speech isn't a right for you to have a platform to voice your opinion, it's a right to not have your opinion be suppressed by the government.
100% incorrect, Free Speech is a social concept that is often codified into law as through out history governments are the ones that often use the power of censorship to silence dissent, however threats by government is NOT the only threat to free speech.
Free Speech is a cultural value first, it has become a legal articulation based on that cultural value.  Platform Access Is A Civil Right, You should now have the same right to speak on Facebook, Twitter, and Instagram that you do in a public park.
If you would not celebrate government censoring opinions you dislike why would you celebrate corporations doing it?
>>I don't have a solution, but at some point you have to accept that tolerance of intolerance is intolerance
The US Supreme Court disagrees with you, you can not fight intolerance by suppression. it has never worked in all of history, it only makes the extremism more extreme and violent. One can make the strong case that the more society pushes these people out of the sunlight the more violent they become, and if they allowed the modern public square, where their idea's would be challenged, debated and debunked there is a high probity there would be LESS violence.
Censorship does nothing but drive extremism under ground allowing it to fester, become more extreme, and then you get violence. This is also true for other forms of Censorship. Take for example the recent bills to "stop human trafficking" by censoring platforms and making them liable for it. Did it actually stop any human trafficking... No, all it did was drive it under ground making it harder for law enforcement to track and stop, while suppression lots of legitimate speech, had massive negative effects on voluntary sex workers, and untold other unintended consequences. This censorship was a net negative both in its stated goal, and for freedom in general. It accomplished nothing but taking the rights away from people.
Once your Nation has a "Chief Censor"  you know you have gone away from anything that could be considered Free Speech
The logical extension of your argument is the public not trustworthy enough to even choose their leaders.
Free speech isn't a danger to democracy, thinking like this is.
Where does daily stormer fall in the “etc.” part?
Many states, including California, have political ideology has a protected class as well.
IMO companies run a foul of that when they start banning people for subjective ideology based reasons like "hate speech" which is not illegal in the US, and is every much based in political ideology to make the determination as to what is "hate".
Journalist like Robert Evans are courageous:
Researchers like Whitney Phillips are courageous
I'm just disgusted.
It is hostile to customers who want to troubleshoot wtf apps are doing.
Users/programs/IoT can choose to use DNS-over-TLS or DNS-over-HTTPS, but that's not Cloudflare's fault.