zlacker

[return to "Does Cloudflare's 1.1.1.1 DNS Block Archive.is? (2019)"]
1. koboll+S9[view] [source] 2021-09-11 20:48:04
>>jahnu+(OP)
Out of curiosity - not defending the behavior - what kind of problems could omitting EDNS cause? What is the steelman case for Archive.is here?

The author says Archive.is's claim that it causes problems is "questionable", but he doesn't mention what those purported problems are or address why they're illegitimate, so it's hard to evaluate whether that's accurate.

◧◩
2. judge2+Qa[view] [source] 2021-09-11 20:54:34
>>koboll+S9
Archive.is uses ECS (edns client subnet, which sends the client IP's /24 to the authoritative resolver) for geo-based load balancing. The problem is that all IPs in a /24 are highly likely to belong to the same city for residential connections, so plugging it into a geoip service is likely to show the actual city & state that a request originates from (the entire point of ECS).

https://twitter.com/archiveis/status/1018691421182791680 (screenshot: https://aws1.discourse-cdn.com/cloudflare/original/3X/8/2/82... )

◧◩◪
3. saurik+re[view] [source] 2021-09-11 21:14:58
>>judge2+Qa
But when the user goes to use the IP address they got back, even more detailed information is going to be given to the endpoint; I can see this maybe being a benefit for TXT records or something?

Hiding ECS from DNS queries seems to mostly just further create imbalances between companies that can afford routing at the IP level over companies that want to do cheaper routing at the DNS level.

(And like, if you attempt to directly mitigate the final IP problem by using a VPN or CG-NAT or something, that same solution will work for the DNS resolver, so I really am seeing no benefit.)

◧◩◪◨
4. Hamuko+5g[view] [source] 2021-09-11 21:26:45
>>saurik+re
You can still do routing at DNS-level as long as you have a less dense infrastructure than Cloudflare.

>1.1.1.1 is delivered across Cloudflare’s entire network that today spans 180 cities. We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results.

◧◩◪◨⬒
5. raxi+Bh[view] [source] 2021-09-11 21:39:03
>>Hamuko+5g
>> 1.1.1.1 is delivered across Cloudflare’s entire network that today spans 180 cities. We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results.

Cloudflare makes an exception to this rule for Archive.{today,is,...} domains. All queries for this domains come from Amazon EC2 in the U.S., not the 180 edges of Cloudflare. This was on blog.archive.today. Why? Who knows. But the decision to break up is made by both parties, not just the archive.

◧◩◪◨⬒⬓
6. Hamuko+pi[view] [source] 2021-09-11 21:45:13
>>raxi+Bh
Source?
[go to top]