zlacker

[return to "Does Cloudflare's 1.1.1.1 DNS Block Archive.is? (2019)"]
1. dimens+36[view] [source] 2021-09-11 20:25:12
>>jahnu+(OP)
amazing how cloudflare has framed this anticompetitve move as a privacy thing.

it doesn't matter if your dns resolver leaks part of your ip address to archive.is's dns servers when you're about to connect to archive.is from your ip address anyway. the only thing dropping the edns client subnet does is prevent services you use from giving you a server that's closer to you when you do the dns lookup. this performance issue, of course, does not affect sites using cloudflare.

◧◩
2. akerl_+I8[view] [source] 2021-09-11 20:40:53
>>dimens+36
Just so we’re on the same page: Cloudflare decided globally not to include client IP in the EDNS data. Then archive.is decided to block Cloudflare’s resolvers from getting accurate records for their site.

To circumvent this, Cloudflare would have to reverse their global stance or make a special exception to satisfy archive.is.

It’s unclear how we could draw “anticompetitive” from this.

◧◩◪
3. silisi+K9[view] [source] 2021-09-11 20:47:08
>>akerl_+I8
Understood, but why? Privacy is not an acceptable answer for the reasons OP stated. If Cloudflare gave a coherent, understandable reason, I'd probably be more on their side.

"Trust us, our network is big enough it will route right" is both not a good answer, nor true.

◧◩◪◨
4. akerl_+Rc[view] [source] 2021-09-11 21:05:03
>>silisi+K9
Privacy isn’t an absolute pass/fail. Giving authoritative nameservers my IP via EDNS leaks my IP. Sure, other things also leak my IP, but that doesn’t mean we should throw in the towel and accept any new way to leak user data.

In many cases, DNS logs aren’t going to the same place as web server logs, so this keeps my data in fewer log files owned by fewer people.

◧◩◪◨⬒
5. cortes+uh[view] [source] 2021-09-11 21:38:34
>>akerl_+Rc
It isn’t the actual IP, it is the subnet. Leaks some info, but unless you own the entire subnet it won’t give up your identity.

https://en.wikipedia.org/wiki/EDNS_Client_Subnet

◧◩◪◨⬒⬓
6. judge2+sl[view] [source] 2021-09-11 22:10:58
>>cortes+uh
The entire point of ECS is to give the location, not the actual origin IP, which might be something you'd like to avoid giving away. The main point is that every resolver or network switch in the chain gets the ECS and would be able to combine it with the domain being requested. If you don't only visit Facebook/Google, your ipv4 /24 in combination with some obscure domain only you visit is very likely to give up your identity should an IX or resolver be watching for requests to such domain.
[go to top]