zlacker

This is the reason I stopped using 1.1.1.1.

>>LeoNat+(OP)
Quad9 has a variant, 9.9.9.11 that works well with CDNs.

>>LeoNat+(OP)
A very silly one at that given their reasons for not resolving archive.is are quite rational and on the contrary makes me want to swap google's DNS servers for theirs.

>>nobody+m
What exactly do you use DNS for? If it's to subsequently make a HTTP and/or HTTPS request, then your full IP address (and not just a /24 subnet) will be leaked to the very same parties anyways.

Even if they eventually make DNS encrypted, even if encrypting TLSv1.3 SNI work properly (and both of these are pretty big ifs, BTW), the IP addresses will still leak, always, and with a much higher precision anyways. So, this we-don't-do-ECS-because-privacy is hardly a rational statement on Cloudflare's part in the end — it merely breaks the performance of their competitor CDNs without any real privacy angle.

>>nobody+m
> their reasons for not resolving archive.is

They do solve archive.is. But archive.is's DNS servers have been configured to return bogus answers to queries from Cloudflare's servers.

>>tambre+z6
Not cloudflare servers in particular. They demand EDNS(optional by design) which cloudflare does not support due to privacy risks.

>>nobody+Jm
From https://news.ycombinator.com/item?id=21155852

> Archive.is does not block all requests lacking EDNS. They specifically block requests coming from Cloudflare's datacenters.

>>cnst+S5
DNS isn't always run by the place the site is hosted and until the other 2 are implemented everyone along the lookup path can also see where you are going. Increasingly a destination IP is becoming less of a hint of what you are browsing to.

Whether you think that's enough to care about or not it's very different than the picture you painted.

>>jlokie+Hp
Wow, what a bunch of not-so-smart people.