zlacker

[return to "Does Cloudflare's 1.1.1.1 DNS Block Archive.is? (2019)"]
1. dimens+36[view] [source] 2021-09-11 20:25:12
>>jahnu+(OP)
amazing how cloudflare has framed this anticompetitve move as a privacy thing.

it doesn't matter if your dns resolver leaks part of your ip address to archive.is's dns servers when you're about to connect to archive.is from your ip address anyway. the only thing dropping the edns client subnet does is prevent services you use from giving you a server that's closer to you when you do the dns lookup. this performance issue, of course, does not affect sites using cloudflare.

◧◩
2. akerl_+I8[view] [source] 2021-09-11 20:40:53
>>dimens+36
Just so we’re on the same page: Cloudflare decided globally not to include client IP in the EDNS data. Then archive.is decided to block Cloudflare’s resolvers from getting accurate records for their site.

To circumvent this, Cloudflare would have to reverse their global stance or make a special exception to satisfy archive.is.

It’s unclear how we could draw “anticompetitive” from this.

◧◩◪
3. raxi+Dg[view] [source] 2021-09-11 21:31:43
>>akerl_+I8
Cloudflare (Matthew Prince personally, here on Hacker News few months ago) said that they do reverse that their global stance for Netflix and some other megacorps.

So this is a super-premium feature unavailable to small players.

CloudFlare just changed how DNS behaved and charge corps to make it work as it worked before CloudFlare entered the stage.

◧◩◪◨
4. akerl_+7h[view] [source] 2021-09-11 21:35:42
>>raxi+Dg
Do you have a citation for that? Sourcing from https://news.ycombinator.com/item?id=19828702 , they don’t reverse their global stance for large providers. Their stance is ~”Including client IP via EDNS violates our goal of maximizing user data privacy”, and what they’re working on with other large-scale providers is a way to improve geo-resolution without weakening user privacy.
◧◩◪◨⬒
5. raxi+Zi[view] [source] 2021-09-11 21:49:00
>>akerl_+7h
Exactly on your link, just ctrl-F for "Netflix":

"We are working with the small number of networks with a higher network/ISP density than Cloudflare (e.g., Netflix, Facebook, Google/YouTube) to come up with an EDNS IP Subnet alternative that gets them the information they need for geolocation".

Well, I might be inaccurate in saying "exactly the same protocol as before", but it is clear that what was available to every webmaster via EDNS, now available only to members of a closed club, via good old EDNS or a proprietary alternative. The latter is more likely, not because of privacy-caring, but because they could now charge it as license fee for using private protocol.

◧◩◪◨⬒⬓
6. judge2+Ol[view] [source] 2021-09-11 22:14:29
>>raxi+Zi
I think they mean they're working on an alternative standard, not anywhere near "we give you an API to match DNS requests to origin city". These talks might have been as simple as "we'll give you [and everyone] geoip information for the datacenters we request from based on IP, and you can load balance off that".
◧◩◪◨⬒⬓⬔
7. raxi+2n[view] [source] 2021-09-11 22:24:00
>>judge2+Ol
I do not think it has much sense if the standard is the good-old-EDNS or something new, for example supplying city name in a text form instead of hiding last bits of IP as EDNS does.

Google's 8.8.8.8 provides client-ip via EDNS to every webmaster. Zeroing at least 8 bits for privacy - it was made with privacy in mind too. The privacy could be tuned by zeroing 10+ instead of 8+ bits, etc. There is nothing wrong with EDNS and privacy, which would require to abandon ENDS with privacy stancas.

And Google provides that FOR FREE. To everyone.

How can I - as webmaster - get similar info from 1.1.1.1? Not being a Silicon Valley megacorp.

◧◩◪◨⬒⬓⬔⧯
8. akerl_+En[view] [source] 2021-09-11 22:27:40
>>raxi+2n
Again, you keep presenting this as something Cloudflare provides to “megacorps” for money. There’s no evidence this is the case, it’s just your speculation.

I’m really sorry that you somehow depend heavily on EDNS Client Subnets, a feature that was only standardized 5 years ago. But it’s optional, per the spec, and Cloudflare has published their rationale for not enabling it on their resolvers.

◧◩◪◨⬒⬓⬔⧯▣
9. raxi+6o[view] [source] 2021-09-11 22:30:54
>>akerl_+En
Please, tell me - not a megacorp webmaster - how can I opt-in to Cloudflare program available to Facebook/Netflix, to get what is available freely as the source IP of UDP packet in the absence of planet-wide public resolvers and what Google gives for free trying to mitigate the inconvenience caused by the planet-wide resolver.

Indeed, my texts about possible motivation is speculations, but I do understand why webmasters block CloudFlare DNS.

I wonder why there are so few of them.

◧◩◪◨⬒⬓⬔⧯▣▦
10. akerl_+Mo[view] [source] 2021-09-11 22:37:16
>>raxi+6o
“We publish the geolocation information of the IPs that we query from”, from the linked comment above. They publish the same info to you and Netflix and me and Amazon.

You keep presenting a difference between what “you” get and what a “megacorp” gets, without any evidence that they’re getting something different from you. You also sidestep here into a complaint against “planet wide resolvers”. To a rounding error, nobody is running their own recursive resolvers. Everybody uses either their ISP’s DNS provider or one provided by a large network entity, virtually all of which are companies. This has been the case for decades. So anybody relying on the source IP of the UDP packet is just out of luck, and has always been out of luck. It’s clear you wish this wasn’t the case, but Cloudflare and Google aren’t really changing the game here, and they don’t owe you optional features because you really want to see user IP data.

◧◩◪◨⬒⬓⬔⧯▣▦▧
11. raxi+kv[view] [source] 2021-09-11 23:37:48
>>akerl_+Mo
I guess you just do not understand what EDNS is, and why it is optional and why its optional-ness is not a pro-CloudFlare argument.

It is very simple:

Query(source IP is an ISP in Paris, no EDNS): gimme IP of "website.com"

WebsiteComDNS: IP of the server closest to Paris

Query(source IP is Google, no-EDNS): gimme IP of "website.com"

WebsiteComDNS: Hm, it is likely Google Cloud, or GoogleBot, answer with IP of own server on Google Cloud

Query(source IP is Google, EDNS: I am acting on behave of an user in Paris): gimme IP of "website.com"

WebsiteComDNS: IP of the server closest to Paris

Query(source IP is Cloudflare, no-EDNS): gimme IP of "website.com"

WebsiteComDNS: where the fuck is CloudFlare? Africa? answer with something random

◧◩◪◨⬒⬓⬔⧯▣▦▧▨
12. akerl_+fC[view] [source] 2021-09-12 00:52:01
>>raxi+kv
I appreciate that you’ve moved from assuming what Cloudflare is doing to assuming what I understand. I think this thread has run its course.
◧◩◪◨⬒⬓⬔⧯▣▦▧▨◲
13. raxi+PD[view] [source] 2021-09-12 01:07:58
>>akerl_+fC
I concluded that from sentences like "they don’t owe you optional features because you really want to see user IP data" which reveal misunderstanding on who is sending queries and who decides what to answer to those queries.

From your text it looks like webmasters are sending requests to CloudFlare to get user's IP.

This is totally wrong.

It is CloudFlare wants to see server IP and in the query it has to explain how they will use this info, to which region they will forward my server IP.

That is what EDNS-client-IP for.

If the requester refuses to explain why they need the server IP address for (and their goal cannot be derived from the source IP of the UDP packet, like in the case of local ISP resolvers), they may be denied the privilege of the honor of receiving responses.

[go to top]