zlacker

I really don't see this as a problem of Cloudflare.

End users switching to Cloudflare's DNS endpoint are doing so because they feel the DNS provider is both faster and more secure.

They rightly made the decision NOT to pass on the end user's IP information to the upstream DNS server. I agree with this decision and they are acting in my best interests in doing so. To draw some kind of nefarious intention from this is absurd.

Until Cloudflare are proven to be nefarious actors, I'll continue to use their service.

>>tedk-4+(OP)
That looks like uncompetitive behavior from Cloudflare, so it's their problem also. Cloudflare can send EDNS if nameserver and the actual server run by the same party, but they don't

>>tedk-4+(OP)
> They rightly made the decision NOT to pass on the end user's IP information to the upstream DNS server. I agree with this decision and they are acting in my best interests in doing so. To draw some kind of nefarious intention from this is absurd.

In this instance, the upstream DNS server and the resultant HTTP server are operated by the same organisation. Cloudflare have opted to not provide the /24 (or /56 if IPv6) network that the original DNS request came from, in the DNS request. Your computer will then provide the /32 (or /128 if IPv6) that your request is coming from when you connect to the HTTP server.

What privacy win have you gained by Cloudflare not providing that information in this instance?

>>varela+v4
Well, yeah. This was one of the significant reasons against Cloudflare's DoH too. They want all Firefox users to use their DNS resolver and deprive the ability of competing DNS-based CDNs (most CDNs) to pick good nodes in Firefox. I've been thinking of blacklisting Cloudflare completely on all of my servers just for that. And it seems Firefox will even be able to detect that and fallback to proper DNS for such domains.

>>oarsin+P7
In this particular case, you're right. But as a general principle DNS is not necessarily owned by the same organisation as hosts the website.

>>spzb+A9
Correct. It's also worth noting that as a general principle, the DNS server making the request on behalf of the user is hosted in the same network as the user, and not an external third party.

In this particular case, it's one CDN taking issue with another CDN only. No other DNS providers appear to be impacted.

>>tedk-4+(OP)
> they feel the DNS provider is both faster and more secure.

'Feel' being the keyword. Faster, generally yes. More secure, not well defined and users are generally wrong.

> nefarious intention

I don't believe I've heard any complaints of nefarious intent.

But let's be clear, this advantages Cloudflare over other CDNs. That they treat the DNS data very well does not mean they won't have an incident. As well, they are more of a target due to the concentration.

> Until Cloudflare are proven to be nefarious actors,

Nefarious wrt whom? For end-users taken individually, I agree, I don't see and it's hard for me to imagine mal intent.

But IMHO they are bad for the Internet. I mean, more power to them and were I a leader there I'd press the same agenda, but as a 3rd party, the way I see it is that in 10 years they are going to be an anti-power much like Google is. Addiction to their services will allow them to trample over what's good for all.

What I dislike most about them is that they promote themselves as purely a force for good. Except for a few PMs and execs I'm 100% sure they believe it. But it's a disservice to never discuss the negative aspects of any of their services. And woe to anyone who does.

As for proven nefarious deeds, do you not consider "banning" sites from using CF nefarious? What if they take it to the next step now, and stop providing DNS for those sites? Given their stated reason for bans, yes it could happen. Why must you wait until they prove to be nefarious? The concentration of power per se is a bad thing.