Archive.is’s authoritative DNS servers return bad results to 1.1.1.1 when we query them. I’ve proposed we just fix it on our end but our team, quite rightly, said that too would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service.
The archive.is owner has explained that he returns bad results to us because we don’t pass along the EDNS subnet information. This information leaks information about a requester’s IP and, in turn, sacrifices the privacy of users. This is especially problematic as we work to encrypt more DNS traffic since the request from Resolver to Authoritative DNS is typically unencrypted. We’re aware of real world examples where nationstate actors have monitored EDNS subnet information to track individuals, which was part of the motivation for the privacy and security policies of 1.1.1.1.
EDNS IP subsets can be used to better geolocate responses for services that use DNS-based load balancing. However, 1.1.1.1 is delivered across Cloudflare’s entire network that today spans 180 cities. We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results. For a relatively small operator like archive.is, there would be no loss in geo load balancing fidelity relying on the location of the Cloudflare PoP in lieu of EDNS IP subnets.
We are working with the small number of networks with a higher network/ISP density than Cloudflare (e.g., Netflix, Facebook, Google/YouTube) to come up with an EDNS IP Subnet alternative that gets them the information they need for geolocation targeting without risking user privacy and security. Those conversations have been productive and are ongoing. If archive.is has suggestions along these lines, we’d be happy to consider them.
Cloudflare simply is making a subversive play against their competitor CDNs. Client subnet of a DNS request is used for initial rough mapping by Cloudflare competitors such as Akamai (definitely) and I believe Fastly ( and probably others) . Stripping it easily adds at least a few milliseconds to the time to first byte and most likely results a request re-routing on the second or third request.
After all, no other CDN is operating a well used public resolver.
The irony is one.one.one.one is marketed as getaway to faster internet, while making CDNs that use GeoDNS slower.
All it takes is a bad route to a far away cloudflare POP to make your internet really slower. Case in point. [1]
I really don't find why no EDNS is considered private, as it only sends the IP subnet.[2] And on IPv6 the IP is far more protected.
If you care that much about privacy, you should be using a VPN.
Another point; if you care about privacy, why use a 3rd party resolver that you have to "trust"?
Use the ISP resolver; they can see all your traffic anyway if they want to.
Alternatively, cut out all the middle men and run your own recursive resolver. It's not complicated to do so, there's other software than Bind for doing so.