zlacker

>>lolind+(OP)
Cloudflare CEO Matthew Prince answered this directly on HN: >>19828702

Most relevant piece but the whole comment is worth a read:

> Archive.is’s authoritative DNS servers return bad results to 1.1.1.1 when we query them. I’ve proposed we just fix it on our end but our team, quite rightly, said that too would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service.

> The archive.is owner has explained that he returns bad results to us because we don’t pass along the EDNS subnet information. This information leaks information about a requester’s IP and, in turn, sacrifices the privacy of users.

Honestly it's that type of thing (the frankness, the presence on HN, willingness to participate, the principled stand on privacy) that got me into Cloudflare products. I now generate hundreds per month in revenue for them and that will likely be thousands in the next year or two. His time/effort on HN directly led to customer acquisition and revenue.

That said I do worry about the incentives Cloudflare has to their big customers. CF is a great tool for site owners, but like any tool has the potential to be a great evil (against the user) if the principles ever wane. It's already being used by a lot of sites to make life a living hell for people behind a VPN. As a site owner I absolutely get it: practically zero of my legitimate traffic comes from VPNs (our main demographic tend to skew older and much less technical than the average consumer), but all of the automated attacks against me do. Balancing freedom and rights is hard, but I deeply appreciate the thoughtfulness and principles that CF has displayed over the years.

>>freedo+Ka
In this particular case we truncate EDNS to protect the privacy of users because we believe 1) privacy is a fundamental human right; and 2) the original sin of the Internet is that IP addresses are too closely tied to the identities of individuals and services. Truncating EDNS is trying to honor #1 and overcome #2. So is our work on protocols like Oblivious DNS. This work, frankly, upsets some of our customers or potential customers (like Archive.is). But it’s the right thing to do for the long term health of the Internet.

>>eastda+Wc
This, and Warp's insistence on passing my origin IP to my destinations, are two things I wish I could customize when using Cloudflare. Before going corporate OpenDNS had something similar, and you could even set up custom behaviors per origin IP (for home and work), which I miss. These are good defaults, but I wish to change the defaults while also allowing particular domains to get my full EDNS info, like particular CDNs.

While I'm here, I'd also like to layer Zero Trust and Warp+ so I can toggle my internal network while staying on Warp+.

Also, the separation in Zero Trust and tunnels between routed DNS names and private IPs is very confusing. Why do I need both?

Custom DNS entries for Zero Trust DNS would be nice, so I could point internal domains to the external routing without having to have public DNS, or even have the domains match.

>>jshier+P91
> Warp's insistence on passing my origin IP to my destinations

IIRC WARP was only able to forward your origin IP to websites using Cloudflare. Then, as of Aug 2022, their FAQ[1] says your origin IP is hidden regardless of which website. Their IPs do reveal your geolocation though.

There was a bug[2] that revealed your IP to select websites; that seems to have been fixed by Nov 2022.

Disclaimer: I’m not knowledgeable enough to test every possible IP leak mechanism (like WebRTC), so I didn’t do that. I’m basically taking their word for it.

[1] https://developers.cloudflare.com/warp-client/known-issues-a...

[2] https://community.cloudflare.com/t/beware-cloudflare-warp-do...