I noticed I couldn't connect to archive.is, eventually I figured out it was an issue with cloudflare DNS, 1.1.1.1. Checking nslookup confirms this:
nslookup archive.is 1.1.1.1 Server: 1.1.1.1 Address: 1.1.1.1#53
Non-authoritative answer: Name: archive.is Address: 127.0.0.4
nslookup archive.is 8.8.8.8 Server: 8.8.8.8 Address: 8.8.8.8#53
Non-authoritative answer: Name: archive.is Address: 94.16.117.236
Cloudflare is returning a localhost address which prevents you from accessing the website.
https://community.cloudflare.com/t/archive-is-error-1001/182...
> Nameservers responsible for archive.is (ben.archive.is, anna.archive.is) are returning answers tailored to the IP address of the requestor.
And indicate that anyone who knows how to contact archive.is can ask them to resolve the issue:
> If you have a contact on the domain owner, you can ask them to fix this.
EDIT: This is knowingly blocked by archive.is. Reasoning and discussion elsewhere in post comments. No need to contact archive.is about it, they’re clearly aware.
Unfortunately, Archive.is has to fix it from their nameservers and we cannot do anything from our side. You can ready more about it here: https://community.cloudflare.com/t/archive-is-error-1001/182...
Disclaimer: I work at Cloudflare
[1] https://developers.cloudflare.com/1.1.1.1/nitty-gritty-detai...
[2] https://twitter.com/archiveis/status/1018691421182791680
Would like to point out that Cloudflare's resolver is EDNS compliant, it just doesn't send the client subnet.
See: https://twitter.com/archiveis/status/1018691421182791680 (picture of tweet https://aws1.discourse-cdn.com/cloudflare/optimized/3X/8/2/8... )
Based on that tweet, the owner has a personal grudge against Cloudflare and is choosing to return bad results.
What makes the response incorrect? I was under the impression that DNS implementations were under no "practical" obligation to return consistent queries to differing requester IP addresses (hence stuff like split-horizon DNS and EDNS: https://developers.google.com/speed/public-dns/docs/ecs )
>EDNS Client Subnet
>1.1.1.1 is a privacy centric resolver so it does not send any client IP information and does not send the EDNS Client Subnet Header to authoritative servers.
What does this mean?
> We’re aware of real world examples where nationstate actors have monitored EDNS subnet information to track individuals, which was part of the motivation for the privacy and security policies of 1.1.1.1.
So it's not just "Cloudflare benefits from pushing anycast" (even if that's part of it).
Many setups proxy everything but dns traffic.
That's why this topic is a thing.
https://trac.torproject.org/projects/tor/wiki/doc/Preventing...
https://www.dnsleaktest.com/what-is-transparent-dns-proxy.ht...
dig @carl.archive.is archive.is A +noedns
curl http://134.119.220.26 -H 'Host: archive.is' -v
I'm not a dig expert, but I believe this means it works without EDNS. I think that means archive.is is specifically blocking Cloudflare's servers, not blocking all non-EDNS requests.
https://ednscomp.isc.org/ednscomp/6ed2aca587
EDNS Compliance Tester says that archive.is has some issues.
> Minor problems detected! > This domain does not support latest DNS standards.
And if they sound acceptable run https://ooni.torproject.org/install/
It'll show you more about likely interception of your traffic.
- 1.1.1.1
- Neustar DNS
- AdGuard DNS
But they don't block Quad9 or CleanBrowsing that also do not send the EDNS subnet. Very curious way of blocking itself out of the Internet. OpenDNS blocks it (sends to their block page):
https://dnsblacklist.org/?domain=archive.is
Would love to hear from someone from archive.is what is going on.
I assume they'd just have to go along with such legal demands, or withdraw from the relevant country, unless the penalty for not complying was very small.
It will probably become an issue some day. In Australia, for example, courts can issue DNS bans of particular sites to individual ISPs. You can avoid these bans entirely by using a service like Cloudfare DNS.
This is probably where I get banned from Hn but it has to be said - to posture as if you care about end users while in the same breath taking money from extremists and turning over personal identifiable information to far-right outlets like DailyStormer, is disingenuous at best and I can think of other ways to describe it which are less charitable.
You also host and protect 8chan.
https://twitter.com/ncweaver/status/1124091916520497153
https://twitter.com/klarajk/status/1122625367490146304
https://twitter.com/Riverseeker/status/1122612031234945024
https://twitter.com/slpng_giants/status/1123592717341200384
https://twitter.com/NathanBLawrence/status/10562868097418199...
https://twitter.com/NJDemocrat/status/897147112273608705
The concept of Free Speech is the most important right we have as humanity, while I may not agree with some peoples words I will fight for their right to say those words
And do not even come at me with "well they are private company" we impose all kinds of regulations on private companies when it comes to basic human rights like free speech and Free Association for example private companies can not refuse service based on race, sex, age, etc.
yet you WANT them to censor content, censor speech. You want them to apply your left authoritarian world view to legal speech, and yes everything you have cited is LEGAL SPEECH in the USA.
If there are actual threats, True Threats as defined in US law, then the police should be involved and the people arrested. If there is defamation or other illegal speech then the courts should be involved
It should NOT be the position of private companies to regulate speech online
Platform Access Is A Civil Right. https://humanevents.com/2019/05/03/platform-access-is-a-civi...
https://thenextweb.com/opinion/2018/07/17/the-daily-callers-...
http://www.sfweekly.com/news/daily-caller-doxxes-the-s-f-guy...
Journalist like Robert Evans are courageous: https://www.bellingcat.com/news/americas/2019/04/28/ignore-t...
Researchers like Whitney Phillips are courageous https://www.wired.com/story/existential-crisis-plaguing-onli...
I'm just disgusted.
And because most site visits start with a Google search anyway.
And finally, because I am comfortable with their privacy statement : https://developers.google.com/speed/public-dns/privacy
The irony is one.one.one.one is marketed as getaway to faster internet, while making CDNs that use GeoDNS slower.
All it takes is a bad route to a far away cloudflare POP to make your internet really slower. Case in point. [1]
I really don't find why no EDNS is considered private, as it only sends the IP subnet.[2] And on IPv6 the IP is far more protected.
If you care that much about privacy, you should be using a VPN.
[1] https://www.zdnet.com/article/mozilla-to-chinas-wosign-well-...
And Cloudflare is EDNS-compliant. They simply choose not to enable the optional EDNS extension released in 2016 for sending the client subnet for privacy reasons.
Here's what RFC7871 – Client Subnet in DNS Queries[1] says about itself (emphasis mine):
This document defines an EDNS0 [RFC6891] option to convey network information that is relevant to the DNS message. It will carry sufficient network information about the originator for the Authoritative Nameserver to tailor responses. It will also provide for the Authoritative Nameserver to indicate the scope of network addresses for which the tailored answer is intended. This EDNS0 option is intended for those Recursive Resolvers and Authoritative Nameservers that would benefit from the extension and not for general purpose deployment. This is completely optional and can safely be ignored by servers that choose not to implement or enable it.
As far as I know, the standard practice, before this optional EDNS extension was to do GeoDNS based on the resolver's IP. This works just fine, including in the case of Cloudflare, since they've got 150+ POPs with each resolving on their own. That's higher density than most CDNs.
$ host -t a lancaster.ac.uk
lancaster.ac.uk has address 148.88.65.80
$ host -t a lancaster.ac.uk 1.1.1.1
Using domain server:
Name: 1.1.1.1
Address: 1.1.1.1#53
Aliases:
lancaster.ac.uk has address 148.88.65.80
https://cloud.google.com/cdn/docs/release-notes#june_27_2016
> Free Speech is the most powerful tool Minorities and oppressed people through out the world have to end their oppression,
So in order to protect the opressed, we should allow their opressors an equal platform to share their totalitarian views?
The other side(what we currently have) is equally as bad, if not worse. Right now you have a situation where the BBC in the name of "fairness" gives equal air time to a political party who only exist as a protest vote, and they allow for climate change denier to air their views against scientists. Public debate doesn't work based on facts, it works based on emotions, and it doesn't matter how nuanced or level headed your response is, "think of the children" or "the government is trying to suppress our rights" are emotional arguments that consistently Trump facts and reason. Free speech isn't a right for you to have a platform to voice your opinion, it's a right to not have your opinion be suppressed by the government.
I don't have a solution, but at some point you have to accept that tolerance of intolerance is intolerance, and when we're talking about a single incident of a platform that claims Marital Rape is ok [0],and that murdering 50 people because of their religion is "a prank" [1], they are objectively the opressors, not the opressed.
[0] https://dailystormer.name/some-states-want-to-prevent-husban...
[1] https://dailystormer.name/the-difference-between-a-mosque-sh...
yes, for many reasons. One Should not be celebrating Moving the Cliff of Censorship on the bias of "Dangerous Individuals" like Facebook recently did. [2]
>Free speech isn't a right for you to have a platform to voice your opinion, it's a right to not have your opinion be suppressed by the government.
100% incorrect, Free Speech is a social concept that is often codified into law as through out history governments are the ones that often use the power of censorship to silence dissent, however threats by government is NOT the only threat to free speech.
Free Speech is a cultural value first, it has become a legal articulation based on that cultural value. [2] Platform Access Is A Civil Right, You should now have the same right to speak on Facebook, Twitter, and Instagram that you do in a public park.[0]
If you would not celebrate government censoring opinions you dislike why would you celebrate corporations doing it?
>>I don't have a solution, but at some point you have to accept that tolerance of intolerance is intolerance
The US Supreme Court disagrees with you, you can not fight intolerance by suppression. it has never worked in all of history, it only makes the extremism more extreme and violent. One can make the strong case that the more society pushes these people out of the sunlight the more violent they become, and if they allowed the modern public square, where their idea's would be challenged, debated and debunked there is a high probity there would be LESS violence.
Censorship does nothing but drive extremism under ground allowing it to fester, become more extreme, and then you get violence. This is also true for other forms of Censorship. Take for example the recent bills to "stop human trafficking" by censoring platforms and making them liable for it. Did it actually stop any human trafficking... No, all it did was drive it under ground making it harder for law enforcement to track and stop, while suppression lots of legitimate speech, had massive negative effects on voluntary sex workers, and untold other unintended consequences. This censorship was a net negative both in its stated goal, and for freedom in general. It accomplished nothing but taking the rights away from people.
Once your Nation has a "Chief Censor" [1] you know you have gone away from anything that could be considered Free Speech
[0] https://humanevents.com/2019/05/03/platform-access-is-a-civi...
Yes. That's one of the founding principles of America. Cloudflare is a common carrier like a telco, not a hosting provider. The content on websites that use them as a CDN shouldn't be paid attention to by Cloudflare one way or another, as long as it's legal. This is their position, and it's the correct and most moral one. You also seem to be missing the fact that Cloudflare famously banned Daily Stormer; the only time they've ever banned any website: https://blog.cloudflare.com/why-we-terminated-daily-stormer/
The best way to empower extremists is by trying to stamp them out. You can never, ever win when your primary weapon is censorship. Fascism thrives and festers in darkness.
https://blog.cloudflare.com/why-we-terminated-daily-stormer/
"Earlier today, Cloudflare terminated the account of the Daily Stormer. We've stopped proxying their traffic and stopped answering DNS requests for their sites. We've taken measures to ensure that they cannot sign up for Cloudflare's services ever again."
I'll keep using non-logging, encrypted OpenNIC servers, since you seem to selectively censor instead of only blocking terrorists and cp.
[0] https://www.pewsocialtrends.org/2019/01/17/generation-z-look...
Your boss is talking about not "violating the integrity of DNS" and presents this case where upstream archive.is name servers return unexpected data. He proposes that CloudFlare cannot "just fix it" because doing so "would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service". However, Cloudflare chose to "just fix it" back then by "slapping a bandaid" on something your team saw as a problem instead of abiding by the proper change process. And Cloudflare did so not because of some critical security flaw, but as a cost-cutting measure.
Even if we limit what it means to "violate the integrity of DNS" to the first definition mentioned above (and completely ignore this second definition), Cloudflare "slapped a bandaid" on a PR problem it had a couple of years ago and decided to "just fix it" and "block a domain" by removing the domain and its assets from Cloudflare's infrastructure. [1]
Cloudflare has "violated the integrity of DNS" on more than one occasion using more than one of its own definitions.
Cloudflare "MUST" either adhere to the specification and its change process, or not adhere to the specification and its change process. Cloudflare "CANNOT" choose for both of these statements to be true, and one of them constitutes "violating the integrity of DNS".
[0] https://blog.cloudflare.com/deprecating-dns-any-meta-query-t...
[1] https://blog.cloudflare.com/why-we-terminated-daily-stormer/