Why does 1.1.1.1 not resolve archive.is?

>>stargr+(OP)
This link and the two answers within demonstrate something important, broader than the DNS related issue at hand.

Both make implicit assumptions. One assumes the worst of Cloudflare and thinks “what’s the worst reason Cloudflare could have for doing this. How do they profit off this?” And the other assumes that Cloudflare has good intentions.

Neither answer is technically wrong. Both flow logically from their initial assumptions. But it shows how different our conclusions can be depending on where our initial biases lie. For the person who believes the first answer and says “prove to me that Cloudflare isn’t doing something nefarious”, it’s not possible. The analysis is correct and can’t be challenged unless the initial assumption is challenged. And for people who strongly believe that Cloudflare has bad intentions, nothing can be done to change their mind.

In this example it’s Cloudflare but it applies to any person or organisation that we feel strongly about.

>>nindal+K6
The second one is not an assumption, it's Cloudflare's official position. For a person who is against Cloudflare, I feel like this would only serve to reinforce the confirmation bias as there's seemingly no person except a Cloudflare employee willing to step up and defend the action.

So, yes, good observation.

>>chesch+F8
Arguably, no one except a Cloudflare employee could know the reason why they took this decision. A random person speculating “maybe they did this for privacy reasons” doesn’t strike me as better than Cloudflare saying “we did this for privacy reasons”.

And while the second answer is a statement, not an analysis the rest of what I said holds. You will only accept their statement as the truth if you assume good intent of them.

>>nindal+k9
Corporations operate for profit.

>>113+s9
Indeed - but there are other ways to make money than to sell of your personal information to the highest advertising bidder.

>>tedk-4+Q9
Such as, in Cloudflare's case, selling our service (the DDoS protection, the caching, the firewalling etc.) to companies that pay for that service because it helps them.

While at the same time working to preserve people's privacy with things like giving out SSL for free, pushing for eSNI, running a public DoH server, building a service that makes sure all data from your phone to us is encrypted etc. etc.

>>jgraha+ob
If you're trying to preserve people's privacy, why doesn't the 1.1.1.1 VPN service also mask originating IP?

>>tomp+ny
Warp isn't trying to "hide your IP from the sites you are visiting". It's there to help prevent intermediaries from observing your traffic. A huge percentage of the web is still unencrypted HTTP.

And Warp+ aims to be about that plus performance.

If you want to be totally anonymous on the Internet then I recommend you use Tor. If you just use a VPN then you may hide your IP address from sites you visit but there are tons of other fingerprinting techniques that can be used.

>>jgraha+CB
I understand all that, and you didn't answer my question. Why do you push the narrative that 1.1.1.1 DNS resolver protects user privacy (by hiding originating IP / subnet) whereas 1.1.1.1 VPN gladly reveals that data? In both cases, the destination is hidden to any eavesdroppers, but in the latter case (VPN) the source IP is visible to the destination website, whereas you keep insisting how vital it is to hide source IP in the former case (DNS).

>>tomp+zG
In the case of Warp, we add the connecting IP information as a header to the HTTP request for sites on Cloudflare. This will typically be inside TLS to the origin server, and so the source IP information will be encrypted and only visible to the web site being visited.

In the case of DNS information about the subnet, the query etc. is sent around unencrypted.

One is open to eavesdropping, the other is not.

>>jgraha+jJ
Someone capable of eavesdropping on that query sure as hell capable of eavesdropping on incoming connections to 1.1.1.1 where they can see actual IP address that initiated the query. There is no way to justify this as a privacy feature. Well, unless people don't understand enough to believe you.

>>zzzcpa+EK
Not really. An eavesdropper can sit in front of the authoritative server for a site and eavesdrop on all the DNS queries with EDNS information. That's one place they need to be.

To eavesdrop on Warp you'd need to do it all over the world, capture encrypted traffic and then try to correlate traffic. If your threat model is a global adversary capable of doing that correlation and you don't want sites to know your IP, then use Tor.

>>jgraha+2M
> An eavesdropper can sit in front of the authoritative server for a site and eavesdrop on all the DNS queries with EDNS information.

No, they can sit near your 1.1.1.1 servers and catch all incoming and outgoing traffic, watching connections to your 1.1.1.1 servers that initiate DNS queries and actual outgoing queries that 1.1.1.1 makes to authoritative servers and responses too.

>>zzzcpa+6N
So if we're talking just about unencrypted DNS to 1.1.1.1 then you're assuming an entity capable of sitting in front of us in 194 cities worldwide.

vs

With EDNS sitting in front of the authoritative server of the site this actor is trying to monitor.

The latter is easier than the former.

zlacker