>>lolind+(OP)
Maybe they need it to route the traffic to the right CDN? That kinda would make sense.

While I'm very privacy conscious, I don't really see the benefit to hiding my region in the DNS request. Because the very next step after the DNS is my browser making a request to their webserver, at which time they will have my actual complete IP anyway.

>>lolind+(OP)
Previous discussions:

Tell HN: Archive.is inaccessible via Cloudflare DNS (1.1.1.1) >>19828317

- This particular discussion includes a comment from Cloudflare's CEO, referenced in the article: >>19828702

Why does 1.1.1.1 not resolve archive.is? >>21155056

- StackExchange question, on the subject

Does Cloudflare's 1.1.1.1 DNS Block Archive.is? (2019) >>28495204

- Discussion of this blog post

>>lolind+(OP)
Hmm, no clue but if i ask 1.1.1.1 for the a record for archive.is i get 89.253.237.217

asking the office DNS the same question i get 51.38.69.52, asking 9.9.9.9 it gives me the same IP as the office DNS. Finaly asking google or 8.8.8.8 i also get 51.38.69.52

So i think their record is borked.

>>wkat42+s8
This is actually addressed in the original HN comment the post links to (>>19828702 ):

> EDNS IP subsets can be used to better geolocate responses for services that use DNS-based load balancing. However, 1.1.1.1 is delivered across Cloudflare’s entire network that today spans 180 cities. We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results.

>>lolind+(OP)
Comment from Cloudflare CEO from 2019: >>19828702

Surfacing here for people who like to read comments before clicking through to the article.

TLDR: the site owner was returning wrong DNS responses for people using Cloudflare's 1.1.1.1 DNS service because the site owner doesn't like Cloudflare.

>>7sovar+09
Supposedly Cloudflare uses a feature of DNS archive.* doesn't like, or vice versa.

Nobody cares; the reality is if you use CF DNS, shit don't work.

>>cj+J9
They still are! I recently switched to Cloudflare DNS and noticed all the archive links people post on HN stopped working.

>>bombca+S9
Im using iCloud Private Relay, and it affects me.

>>lolind+(OP)
I don't know for sure what's going on with the DNS. I know the archive.* website messes with Cloudflare's DNS results because they don't know how to set up anycast, but when I use some external tool to look up the right address and hardcode that I still get either a TLS error or "hello world".

archiveiya74codqgiixo33q62qlrqtkgmcitqx5u2oeqnmn5bpcbiyd.onion still works fine if you don't want to share your geolocation information with every DNS server in the recursive resolver chain.

>>nuker+ha
I’m using iCloud Private Relay and it works fine.

>>lolind+(OP)
Cloudflare CEO Matthew Prince answered this directly on HN: >>19828702

Most relevant piece but the whole comment is worth a read:

> Archive.is’s authoritative DNS servers return bad results to 1.1.1.1 when we query them. I’ve proposed we just fix it on our end but our team, quite rightly, said that too would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service.

> The archive.is owner has explained that he returns bad results to us because we don’t pass along the EDNS subnet information. This information leaks information about a requester’s IP and, in turn, sacrifices the privacy of users.

Honestly it's that type of thing (the frankness, the presence on HN, willingness to participate, the principled stand on privacy) that got me into Cloudflare products. I now generate hundreds per month in revenue for them and that will likely be thousands in the next year or two. His time/effort on HN directly led to customer acquisition and revenue.

That said I do worry about the incentives Cloudflare has to their big customers. CF is a great tool for site owners, but like any tool has the potential to be a great evil (against the user) if the principles ever wane. It's already being used by a lot of sites to make life a living hell for people behind a VPN. As a site owner I absolutely get it: practically zero of my legitimate traffic comes from VPNs (our main demographic tend to skew older and much less technical than the average consumer), but all of the automated attacks against me do. Balancing freedom and rights is hard, but I deeply appreciate the thoughtfulness and principles that CF has displayed over the years.

>>lolind+(OP)
Seems like a good reason not to be exclusive with a single DNS service.

>>wkat42+s8
eastdakota's original comment covers this. The DNS request isn't encrypted, so anyone with control over the network (upstream ISPs via warrants) can use this information to figure out who is attempting to visit. ("Someone is resolving example.com" is less information than "someone in LA is resolving example.com") Meanwhile, the actual HTTPS connection leaks less information. If the website is hosted on a CDN or cloud provider, then someone monitoring the IP traffic only knows that you're visiting something hosted by that CDN. ("The target is visiting a Cloudflare-hosted site" is less information than "The target is visiting example.com") So, there is a slight information leak by sending the geolocation information.

On the other hand, it's possible this doesn't matter. The client might not encrypt the host it's trying to visit. Nation states can correlate packet timing. So if someone really wants to know, they'll probably figure it out. (This is always a risk with things like Tor. If the government is monitoring your connection and some target website's connection, and you are sending a lot of packets at the same time they're receiving a lot of packets, you can guess who is talking to who.)

>>bombca+S9
It's not just Cloudflare, it's any DNS resolver that doesn't implement EDNS extensions. If you (or the company you work for) run a recursive resolver that doesn't submit such data, you'll run into the same issues.

I've switched to archive.org because archive.* is broken. For stuff that .org doesn't have, there's always the Tor version. The Tor address seems to be more responsive as well, so that's nice.

>>lolind+(OP)
This is obviously not Cloudflare's fault, but I wonder why they don't just mask their identity (e.g. by using a random AWS IP address) when querying archive.is?

AFAICT this wouldn't "violate the integrity of DNS and the privacy and security promises we made to our users" and would solve a big pain point of using 1.1.1.1.

>>bombca+S9
> Nobody cares; the reality is if you use CF DNS, shit don't work.

This is super misleading because it ignores the fact that archive.* goes out of their way to make CF DNS not work.

>>lol768+Q8
since your formatting is weird, here is the direct link to the stack exchange question:

https://webapps.stackexchange.com/questions/135222

>>philwe+p9
And today it’s over 250. And the only site I’m aware of that objects to us protecting user privacy by making EDNS more private is this one. ¯\_(ツ)_/¯

>>lolind+(OP)
Lately I've run into the issue that they're also blocking iCloud Private Relay. Although for some reason the block is only affecting me over IPv6, if I disable v6 it works, which led me to waste a bunch of time debugging. The seemingly anti-privacy blocks by archive and the fact that nobody knows who funds this extremely popular service has led me down conspiratorial thought patterns.

>>wkat42+s8
I've talked to some people working for the .nl TLD. They collect logs on DNS requests for every .nl domain to mine data about phishing websites and online scams. They're not using the EDNS information as far as I know (that would be very very illegal) and I don't know what the introduction of the GDPR has done to their research, but TLDs not limited by privacy laws such as American companies can do whatever they want.

It's not just the website's DNS server that received your subnet information; it's every single location in the chain of DNS resolvers. That includes TLD servers run by data mining companies. Does Verisign need to know that 2001:2345:6789::abcd is looking for news.ycombinator.com?

With caching in place these methods of data gathering aren't all-encompassing, but if you visit some new or uncommon domains you'll be more likely to become part of the dataset.

>>freedo+Ka
In this particular case we truncate EDNS to protect the privacy of users because we believe 1) privacy is a fundamental human right; and 2) the original sin of the Internet is that IP addresses are too closely tied to the identities of individuals and services. Truncating EDNS is trying to honor #1 and overcome #2. So is our work on protocols like Oblivious DNS. This work, frankly, upsets some of our customers or potential customers (like Archive.is). But it’s the right thing to do for the long term health of the Internet.

>>diogoc+Db
I'm not affiliated with CF at all, but if I were I would oppose that idea on a couple levels.

Philosophically I think that lacks respect for the site owner and it would be wrong to deceive them and go against their wishes.

Pragmatically that sounds like a giant maintenance pain in the ass to manage, and not worth the time/money to make somebody's site work who actively doesn't want it to work.

>>philwe+p9
Yeah but if the site standardized on EDNS to get this information, it's rather difficult to do something different just for Cloudflare.

>>lolind+(OP)
Intransigent maintainers are such an irritating problem. Any time a maintainer has some strongly-held beliefs or goals that supersede their desire to serve users, you've got a ticking time bomb. When the two clash, they'll decline to serve users in order to serve their strongly-held belief instead. We see it time and time again.

>>diogoc+Db
We’ve tried. The owner of Archive.is actively monitors and then returns bad results. This is true even if we recurse through another recursor. It’s a very odd hill to die on.

>>hk1337+Pa
I don't think this will help. It still returns an IP, it's just wrong. Setting a second DNS won't help if the first one returns a response.

>>lolind+(OP)
Cloudflare is also hurting peering and ggc to Google on my ISP.

When I use google dns, opendns or even my isp's own dns, the ip I get for example, googlevideo.com resolves to my isp's cache. But with cloudflare it gives my a google ip and I get no cache benefits.

Also, anecdotal evidence, uploading and downloading large files to Google Drive and some other websites is significantly faster when I use google dns or opendns. I'm not sure how that works, but maybe the server's returning an ip my isp can't route to in a fast way? My isp is notorious for having bad routes.

>>almost+Fa
I use iCloud Private Relay and it only affects me over IPv6. Disabling either private relay or ipv6 "fixes" it

>>eastda+Id
I think I'm missing something, but is there a way you can pass along some some sort of vague location info for caching purposes without revealing too much? From their tweet they mentioned even continent level information isn't available, which I can understand. Is there really no middle ground that works here?

>>eastda+Wc
More of a meta comment, but thank you for your willingess to upset some customers and potential customers. Having and standing by principles can be damn inconvenient at times, but the world is a much better place because of it.

>>lolind+(OP)
(2019)

Did this need to be posted again when it was discussed and answered already?

>>eastda+Wc
Sure, we’re to believe that, given that you’re trying to lock out Linux users[1] (which still isn't resolved yet) and pushing for device attestation[2] to lock out rooted devices at the same time.

[1] >>36197401

[2] https://www.ietf.org/archive/id/draft-private-access-tokens-...

>>lolind+(OP)
I talked to the maintainer of archive.is years ago, they said this (hopefully they won't mind me posting):

> There have been numerous attacks where people upload illegal content (childporn or isis propaganda) and immediately reported to the authorities near the IP of the archive. It resulted in ceased servers and downtimes. I just have no time to react. So I developed sort of CDN, with the only difference: DNS server returns not the closest IP to the request origin but the closest IP abroad, so any takedown procedure would require bureaucratic procedures so I am getting notified notified and have time to react.

> But CloudFlare DNS disrupts the scheme together with all other DNS-based CDNs Cloudflare is competing with and puts the archive existence on risk. I offered them to proxy those CloudFlare DNS's users via their CDN but they rejected. Registering my own autonomous system just to fix the issue with CloudFlare DNS is too expensive for me.

When I proposed using the DNS server's IP instead, they said:

> It did not work initially because they have global planetwide cache.

> 1. Someone resolves domain from Brazil.

> 2. Website's DNS get request from Cloudflare Brazil DC.

> 3. The result is replicated to other Cloudflare DCs

> 4. Some from Turkey resolves same domain and get the cached value

> It could be worked around by setting tiny TTL, which would slowly end up in consistent results, but... After "I’ve proposed we just fix it on our end .." all requests for 7 archive.* domains are sent from Symantec USA IP

>>kalleb+4c
Cloudflare is one of the operators of egress nodes for iCloud Private Relay, along with Akamai and Fastly and maybe some others (IIRC). So you probably have issues with Archive.is when you're connected through Cloudflare. Although I'm not sure how DNS resolution works on private relay (since it's the DNS server rather than the egress proxy that causes the issue - but if the egress proxy is making the DNS requests then that would explain it).

>>almost+Fa
iCloud Private Relay uses a variety of third parties for their network connectivity. If it's working fine, you might be going out via Fastly or someone else. The person who it's not working for is likely getting Cloudflare.

With iCloud Private Relay, it sometimes works for me and sometimes doesn't depending on which CDN's system I'm using at the time.

>>wkat42+ld
edns-client-subnet only provides an IP address; the receiving CDN still needs to geolocate it.

So the main difference is that Cloudflare's servers need to be present in the IP geolocation database. Given their prevalence, they're probably in most of them already.

>>lolind+(OP)
I'm using 1.1.1.1 and I can go to archive.is – is this still relevant?

>>eastda+Id
That's as annoying as it is impressive.

>>supriy+Ne
Your link for [1] shows that CF responsed, confirmed the bug and that they fixed it. If that’s not actually the case have you tried engaging with them again? They seemed very responsive the first time.

>>lolind+(OP)
Tangentially, various network providers (eg. some mobile networks) block access to some archive sites (particularly the Internet Archive as it's the most well known one) on the basis of them containing adult/pirated content.

>>lolind+(OP)
While archive.is' reaction is questionable (and even then, its their own server and can do whatever they want with it) this blog post is throughout Cloudflare advertising. The CEO used the scenario to their advantage very cleverly, but this blog post could describe all of that without constantly reminding how wonderful CF is.

>>stavro+if
This makes a lot of sense, and this comment should be higher.

The other comments that only present the Cloudflare side of the situation make it sound like the archive.is owner was being unreasonable, but as we see there is more to it!

I personally tried to use 1.1.1.1 as my resolver a couple of years ago but I use archive.is a lot.

Regardless of who is “at fault”, not being able to access archive.is is a dealbreaker for me so I quickly stopped using 1.1.1.1

But Cloudflare has a lot of other things that work well for me.

>>supriy+Ne
I have huge problems with Cloudflare, but this comment is dishonest.

[1] "Hello, Benedikt from Cloudflare and the Turnstile Team here. Thanks you so much for the report. We looked into this report and identified that there was some false positive and cleared the signal. We have investigated this report and the issue should be fixed. Please reach out to me benedikt@cloudflare.com or at our Cloudflare Turnstile Discord, if you are still encountering problems."

[2]

> Servers commonly use passive and persistent identifiers associated with clients, such as IP addresses or device identifiers, for enforcing access and usage policies. For example, a server might limit the amount of content an IP address can access over a given time period (referred to as a "metered paywall"), or a server might rate-limit access from an IP address to prevent fraud and abuse. Servers also commonly use the client's IP address as a strong indicator of the client's geographic location to limit access to services or content to a specific geographic area (referred to as "geofencing").

> However, passive and persistent client identifiers can be used by any entity that has access to it without the client's express consent. A server can use a client's IP address or its device identifier to track client activity. A client's IP address, and therefore its location, is visible to all entities on the path between the client and the server. These entities can trivially track a client, its location, and servers that the client visits.

> A client that wishes to keep its IP address private can hide its IP address using a proxy service or a VPN. However, doing so severely limits the client's ability to access services and content, since servers might not be able to enforce their policies without a stable and unique client identifier.

> This document describes an architecture for Private Access Tokens (PATs), using RSA Blind Signatures as defined in [BLINDSIG], as an explicit replacement for these passive client identifiers. These tokens are privately issued to clients upon request and then redeemed by servers in such a way that the issuance and redemption events for a given token are unlinkable.

>>TechBr+xf
Ah that would explain it!

>>datafl+ne
From another post the CEO made it sounds like they could do a bunch of things but don’t think they should. Which I understand. Once you start adding workarounds for specific domains I can imagine the whole thing spiralling quickly. The owner of archive.is doesn’t want the traffic, CF probably shouldn’t move heaven and earth in response.

>>eastda+Id
Have you guys considered just having the resolver not return anything? Such that my system would fallback to another resolver (such as Google or Quad9) and I wouldn't have issues accessing the site?

I guess that still has the privacy implications.. but at least it would work!

>>waithu+Rg
Or, they could do it while constantly reminding people how wonderful Cloudflare is, just because they want to. I'm not sure why supposed to be wrong to honestly advertise.

>>datafl+ne
Continent-level information doesn't exist. EDNS Client Subnet doesn't send a location, it sends a subnet. Its "location" then has to be looked up in geolocation databases which may or may not be accurate. There's no subnet that will map to a continent.

>>afavou+xg
CF (like many other companies) are responsive only when the complaint is posted on HN. Regardless, the issue wasn't solved, it came back within a few hours.

I've tried raising this issue on their forum, where I've failed to get the attention of the engineering teams, and while posting the ray ID should be sufficient, all you'd really get is clueless, unpaid volunteers asking you questions in circles like "what website do you see this on" (everywhere), "are you using adblock" (no, and Adblock has never blocked their Turnstile scripts) and "what's your user agent?" (the default Chromium one).

If I had to hazard a guess, it's their bot management script seeing "Linux" in the user agent and detecting missing video codecs (which is par for the course for standard Chromium builds), and thinking it's a headless browser. Between the the fact that differences between the JS runtime of Chromium and Chromium headless are very small these days, and the ClientHello permutation has destroyed bot management vendors' ability to distinguish different browser builds, they decided blocking all Linux users using Chromium was fair enough.

>>supriy+Pi
Are you sure this is a widespread, universal bug? Are you sure all Linux Chromium users are affected?

I get that it's a frustrating situation but you're viewing CF in the worst possible light ("trying to lock out Linux users" assumes an intent not on display) and I think it's counterproductive to success.

>>joseph+Fb
Doesn't really change anything for the end-user that wants to access the website and is bummed that it doesn't work. There might be politics in the way but all they care is that it doesn't work.

>>afavou+Sh
I don't see what I proposed as a domain specific workaround, it should be done for all domains I think.

>>ChrisA+Ee
For me it worked for a while, and has broken again earlier this year.

>>lolind+(OP)
I switched to https://controld.com/free-dns

Can also do DNS adblock! :)

>>freedo+Ka
This is honestly such a tone-deaf answer. At the end of the day, users don't care about the purity of adherence to some far-down technical principles or details. As a product leader, you should task your team to solve real user problems and not spend literal years arguing about EDNS.

Truly, just imagine the user story:

"I can't access this website."

"No worries! That is by design, because the protocol response returned to CF is illegal, and the server simply propagates the error back to you. It would be impure for CF to modify the response in-flight to fix this for you."

"?? I do not care. I am talking to CF, why can't CF just fix the issue?"

>>lolind+(OP)
If you're using a Pi-hole for your DNS (or anything else using dnsmasq I suppose), I worked around the issue by creating /etc/dnsmasq.d/02-archive.is.conf (with a Docker bind mount in my case) with the following content:

    server=/archive.today/8.8.8.8
    server=/archive.today/8.8.4.4
    server=/archive.ph/8.8.8.8
    server=/archive.ph/8.8.4.4
    server=/archive.is/8.8.8.8
    server=/archive.is/8.8.4.4
    server=/archive.li/8.8.8.8
    server=/archive.li/8.8.4.4
    server=/archive.vn/8.8.8.8
    server=/archive.vn/8.8.4.4
    server=/archive.fo/8.8.8.8
    server=/archive.fo/8.8.4.4
    server=/archive.md/8.8.8.8
    server=/archive.md/8.8.4.4
    server=/archive.to/8.8.8.8
    server=/archive.to/8.8.4.4

This way you use 1.1.1.1 for everything, except the domains listed above where it uses Google DNS instead.

>>lolind+(OP)
I am in India, using 1.1.1.1 over DoT and it appears to be working okay.

I am served IP addresses with relatively short TTLs (1-5minutes) that are in Moscow and North Holland.

>>cj+J9
And the reason they do that is quite reasonable. CF is just being a pain

>>eastda+Lb
"Protecting user privacy", from the largest MITM attackers on the internet, is laughable.

>>lopken+1m
As creators, it’s our job to care about these things for the benefit of users BECAUSE they’re laypeople.

>>eastda+Wc
I use Quad9 because of this reason. CF will also misdirect Exchange Online connections which can significantly impact client performance.

It would be great if CF offered a choice, like Quad9.

>>Fabric+5i
The whole point is that they don't want to break any core DNS functionality with a band aid fix just because one website doesn't like it.

>>pessim+ki
Many people think any form of advertising is evil. Though incorrect, it's perhaps a predictable reaction to the pervasive and genuinely morally bankrupt advertising we're inundated with on a regular basis.

>>lolind+(OP)
If Archive.is doesn't want to respond to valid DNS requests then I don't see a reason to use or support them.

>>pessim+Yg
Please see [1] regarding the concerns around attestations and PAT and [2] for what has happened outside HN, which a simple reading of that thread wouldn't otherwise suggest.

[1] >>36972051

[2] >>36971869

>>cj+J9
> the site owner was returning wrong DNS responses for people using Cloudflare's 1.1.1.1 DNS service because the site owner doesn't like Cloudflare.

Or you can try to not imagine everyone as hating everything and read the other comment in here posting the archive.* side of the story.

> There have been numerous attacks where people upload illegal content (childporn or isis propaganda) and immediately reported to the authorities near the IP of the archive. It resulted in ceased servers and downtimes. I just have no time to react. So I developed sort of CDN, with the only difference: DNS server returns not the closest IP to the request origin but the closest IP abroad, so any takedown procedure would require bureaucratic procedures so I am getting notified notified and have time to react.

> But CloudFlare DNS disrupts the scheme together with all other DNS-based CDNs Cloudflare is competing with and puts the archive existence on risk. I offered them to proxy those CloudFlare DNS's users via their CDN but they rejected. Registering my own autonomous system just to fix the issue with CloudFlare DNS is too expensive for me.

>>afavou+7j
I am exclusively a Linux user and have multiple machines/distros/etc and can test. Can you post a link that loading will demonstrate the issue?

>>joseph+Fb
> goes out of their way to make CF DNS not work.

No, they go out of their way to make a system that can handle people trying to abuse it. Cloudflare doesn't like that system and refuses to help them.

> There have been numerous attacks where people upload illegal content (childporn or isis propaganda) and immediately reported to the authorities near the IP of the archive. It resulted in ceased servers and downtimes. I just have no time to react. So I developed sort of CDN, with the only difference: DNS server returns not the closest IP to the request origin but the closest IP abroad, so any takedown procedure would require bureaucratic procedures so I am getting notified notified and have time to react.

> But CloudFlare DNS disrupts the scheme together with all other DNS-based CDNs Cloudflare is competing with and puts the archive existence on risk. I offered them to proxy those CloudFlare DNS's users via their CDN but they rejected. Registering my own autonomous system just to fix the issue with CloudFlare DNS is too expensive for me.

>>Goz3rr+mm
And you leak your location, don't you?

>>xnyant+Ji
Network blocks are issued by regional registries: https://upload.wikimedia.org/wikipedia/commons/9/95/Regional...

>>supriy+Pi
Pretty sure you are wrong - I run Linux on both my desktop and laptops; and moreover everyone in our engineering team runs Linux as main OS as well. We haven't seen any Cloudfare-specific problems.

(I have no doubt ypu are seeing the problem on your PC; but generalizing a single point to all Linux users just screams "technical incompetence" and makes me want to ignorw the post)

>>croes+Gw
as does your IP. Where is the win?

>>mikeco+Vm
> from the largest MITM attackers

If that were true, there's a lot of really stupid people throwing away their money by paying CF to hack them.

>>eastda+Lb
Right, the site full of nerds who think archive.is and co. is a cool toy. Dilemma! ;)

>>eastda+Wc
> This work, frankly, upsets some of our customers or potential customers (like Archive.is).

That's a bit unfair, don't you think?

From what I remember of the saga, the original reason for Archive.is's block is that they run their own CDN, and by not knowing the location of the user, they can't determine the closest server to respond with.

edit: found source https://twitter.com/archiveis/status/1018691421182791680

So the alternative viewpoint is, that Cloudflare is being anti-competitive by technically preventing other CDN providers from working.

Disclosure: I'm a happy Cloudflare user, but all in all I think Archive.is service is far more fundamental for the internet (especially as it's 100% free!). So I would really appreciate if you could figure out a way of working together. Until then, 8.8.8.8 it is!

>>freedo+Ka
Cloudflare banned 8chan without a legal requirement to do so. They banned it based on moral reasons.

>>lolind+(OP)
Any alternatives which support DoH, DoT, DoQ and do not think they need to reinvent (E)DNS ?

Google works but I want to keep a little distance from them. Also no big fan of Quad9. So what else to use and which is distributed World Wide?

>>croes+Gw
... less than when you connect to the archive.is servers for http requests

>>lolind+(OP)
One way you can get around this and still use 1.1.1.1 for most sites would be to use a local recursive resolver that supports domain name-based upstream overrides such as dnsmasq, and setting that as your local resolver.

You can run dnsmasq on anything that can run arbitrary services e.g. on your local workstation, or on your router if it is open enough, or even on something like Termux probably.

>>supriy+Pi
You don't have to "hazard a guess", one of their engineers gave you their email address in that other thread. They also invited you to their discord. Have you tried talking to someone directly at the source?

>>tomp+9B
> they run their own CDN, and by not knowing the location of the user, they can't determine the closest server to respond with.

I feel like the more reasonable answer here is to just let the user take the latency hit. Surely requests being somewhat slower is preferable to requests being outright bitbucketed, right?

>>bombca+S9
> Supposedly Cloudflare uses a feature of DNS archive.* doesn't like, or vice versa.

From what I understand, it's the opposite: Cloudflare doesn't use a relatively new feature of DNS (EDNS Client Subnet), and that site doesn't like the lack of that feature.

>>yellow+eD
Right but then working slow looks like archive.is issue but is ultimately caused by cloudflare.

CF is bascically saying "we can know your IP but not the site you are trying to resolve" (that will know your IP anyway once you navigate there).

>>eastda+Wc
User will navigate to the site and show their own IP anyway. You achieved basically zero increase in privacy while making any competitor have problems with any of their users that use 1.1.1.1

And any malicious client that tries to leak data via DNS can just ask for DNS record like my-ip-is-7.8.9.0.example.com and completely go around that privacy "enhancement".

Sorry but the "privacy" here looks like smokescreen to stifle competition.

>>7sovar+09
I get the same result when I query 1.1.1.1 or 1.0.0.1 for archive.is:

    ┌
    └─(12:32:59)──> nslookup archive.is 1.1.1.1 
                                            
    Server:  1.1.1.1
    Address: 1.1.1.1#53

    Non-authoritative answer:
    Name: archive.is
    Address: 89.253.237.217

    ┌
    └─(12:38:12)──> nslookup archive.is 1.0.0.1
                                            
    Server:  1.0.0.1
    Address: 1.0.0.1#53

    Non-authoritative answer:
    Name: archive.is
    Address: 89.253.237.217

Wonder why that is happening...

>>freedo+te
It's entirely smokescreen. Yes your DNS doesn't "leak" your IP... but server will immediately get the IP of the client on first try of connecting it.

>>eastda+Wc
So Stavros [1] indicates that archive.is needs that EDNS data to protect themselves against CSAM/ISIS material based attacks, and they suggested solutions but CF refused to cooperate. Is this true?

[1] >>36971650

>>croes+Gw
Do you know how DNS works ?

You as for a record, you get answer. You ask for IP adddress of archive.today, you get that IP

Then you connect to that IP

If your DNS doesn't leak client IP, the browser connecting to server IP will leak it.

It's entirely irrelevant protection that does nothing but makes competing on cdn harder.

>>Goz3rr+mm
Or you could just not use 1.1.1.1. There are other players in this space, and unless you are querying DNS but not connecting to the server to get content, the server is going to know your ip.

>>jrockw+Sa
> If the website is hosted on a CDN or cloud provider, then someone monitoring the IP traffic only knows that you're visiting something hosted by that CDN.

This isn't true, because the request leaks the hostname in the handshake via SNI:

https://en.wikipedia.org/wiki/Server_Name_Indication

>>croes+Gw
As you do when you connect to any website ?

>>lolind+(OP)
Strangely, I get a Russian IP address for an answer when I query 1.1.1.1 for archive.is:

    ┌─(~/Projects/malware/triangulation)(ruby-2.5.0)────────────────────────────────────────────────────────────────────(c@c:s001)─┐
    └─(12:32:59)──> nslookup archive.is 1.1.1.1                                                                          ──(Wed,Aug02)─┘
    Server:        1.1.1.1
    Address:    1.1.1.1#53

    Non-authoritative answer:
    Name:    archive.is
    Address: 89.253.237.217

    ┌─(~/Projects/malware/triangulation)(ruby-2.5.0)────────────────────────────────────────────────────────────────────(c@c:s001)─┐
    └─(12:38:12)──> nslookup archive.is 1.0.0.1                                                                          ──(Wed,Aug02)─┘
    Server:        1.0.0.1
    Address:    1.0.0.1#53

    Non-authoritative answer:
    Name:    archive.is
    Address: 89.253.237.217

    ┌─(~/Projects/malware/triangulation)(ruby-2.5.0)────────────────────────────────────────────────────────────────────(c@c:s001)─┐
    └─(12:38:14)──> whois 89.253.237.217                                                                                 ──(Wed,Aug02)─┘
    % IANA WHOIS server
    % for more information on IANA, visit http://www.iana.org
    % This query returned 1 object

    refer:        whois.ripe.net

    inetnum:      89.0.0.0 - 89.255.255.255
    organisation: RIPE NCC
    status:       ALLOCATED

    whois:        whois.ripe.net

    changed:      2005-06
    source:       IANA

    # whois.ripe.net

    inetnum:        89.253.232.0 - 89.253.239.255
    org:            ORG-RL31-RIPE
    netname:        RU-RUSONYX-NET6
    descr:          Network for Rusonyx infrastructure
    country:        RU
    mnt-lower:      MNT-RUSONYX
    mnt-routes:     MNT-RUSONYX
    admin-c:        VZ1716-RIPE
    admin-c:        VZ1717-RIPE
    tech-c:         VZ1716-RIPE
    status:         ASSIGNED PA
    mnt-by:         MNT-RUSONYX
    created:        2018-10-10T09:53:33Z
    last-modified:  2018-10-16T12:37:40Z
    source:         RIPE # Filtered

    organisation:   ORG-RL31-RIPE
    org-name:       Rusonyx, Ltd.
    country:        RU
    org-type:       LIR
    address:        5th st. Yamskogo Polya, 9, office 19
    address:        125040
    address:        Moscow
    address:        RUSSIAN FEDERATION
    phone:          +74951370701
    fax-no:         +74951370701
    mnt-ref:        RIPE-NCC-HM-MNT
    mnt-ref:        MNT-RUSONYX
    mnt-by:         RIPE-NCC-HM-MNT
    mnt-by:         MNT-RUSONYX
    abuse-c:        AD11015-RIPE
    created:        2006-08-18T09:59:51Z
    last-modified:  2022-10-06T11:18:08Z
    source:         RIPE # Filtered

    person:         Viktor Zverkov
    address:        P.O. Box 19
    address:        127137, Moscow, Russia
    address:        Rusonyx ltd.
    phone:          +7 495 5089959
    nic-hdl:        VZ1716-RIPE
    mnt-by:         MNT-RUSONYX
    created:        2017-09-20T11:29:16Z
    last-modified:  2022-07-05T14:00:10Z
    source:         RIPE

    person:         Viktor Zaytsev
    address:        P.O. Box 19 , Russia
    address:        127137, Moscow
    address:        Rusonyx ltd.
    phone:          +7 495 5089959
    nic-hdl:        VZ1717-RIPE
    mnt-by:         MNT-RUSONYX
    mnt-by:         AM65535-MNT
    created:        2017-09-20T11:54:54Z
    last-modified:  2018-08-02T17:21:31Z
    source:         RIPE

    % Information related to '89.253.232.0/21AS41535'

    route:          89.253.232.0/21
    descr:          RUSONYX-RU
    origin:         AS41535
    mnt-by:         MNT-RUSONYX
    created:        2017-11-24T09:34:37Z
    last-modified:  2017-11-24T09:34:37Z
    source:         RIPE

    % This query was served by the RIPE Database Query Service version 1.107 (DEXTER)

Not sure why this would be happening (looks like at least one other person in the thread is seeing same result).

>>adql+UG
I was willing to give CF the benefit of the doubt, until other posters (and you) pointed out that this is a red herring. Also given Stavros' note [1] on how archive.is needs the EDNS data to protect themselves from CSAM/ISIS material based attacks and that they suggested solutions but CF refused to cooperate, I'm unsure of the motives behind these posters claiming CF is protecting privacy. Matthew Prince's motives in his truth-but-not-full-truth response are obvious.

[1] >>36971650

>>electr+yd
This case might not be one of an intransigent maintainers. Check out Stavros' note [1]

>>36971650

>>nullin+qq
misdirect? What's happening with them?

>>flutas+Iv
Isn't the Internet full of major websites that need to be able to handle that kind of abuse? If what archive.* did were really necessary to do so, then why haven't any other websites needed to do the same thing?

>>adql+fG
But the DNS won't. Many times the DNS and Webserver are different hosts. Eg: DNS in Route53 and Webserver in Linode

>>jeroen+Qc
>Does Verisign need to know that 2001:2345:6789::abcd is looking for news.ycombinator.com?

Verizon wouldn't know that even with ECS, because ECS only needs to include the subnet prefix of the length that the client (Cloudflare's recursive resolver in this case) is willing to give out. There is no benefit and only harm to the client if it gives out the whole IP, and indeed it is called out as a bad idea in the ECS RFC.

>>eastda+Wc
> In this particular case we truncate EDNS to protect the privacy of users

In other words, you want the data, but prevent others from seeing your advantage?

This is what archive.is is doing, and you stomp your collective feet at.

> because we believe 1) privacy is a fundamental human right; and 2) the original sin of the Internet is that IP addresses are too closely tied to the identities of individuals and services.

If you cared about that, you wouldn't either block Tor or send us through captcha-hell just to pull a single webpage.

> Truncating EDNS is trying to honor #1 and overcome #2. So is our work on protocols like Oblivious DNS. This work, frankly, upsets some of our customers or potential customers (like Archive.is). But it’s the right thing to do for the long term health of the Internet.

'Upsets'? Wow. Talk about a "Rules for thee but not for me."

>>rovr13+3K
Exchange Online determines the closest EXO front door by the location of resolver. Other M365 services do not use this method, it is an artifact from Exchange Server.

EDIT: This is outlined in [0], although it doesn't go into the depth I wish it did.

> By providing local Internet egress and by configuring internal DNS servers to provide local name resolution for Microsoft 365 endpoints, network traffic destined for Microsoft 365 can connect to Microsoft 365 front end servers as close as possible to the user.

[0] https://learn.microsoft.com/microsoft-365/enterprise/microso...

>>supriy+Pi
Had a one-time quick experience with cloudflare through the chat.

For an issue that pointed to cloudflare, but ultimately was our hoster having an issue with completing the TLS handshake...

After infra update ofc.

Tldr: had the opposite experience, for a technical issue :)

>>freedo+te
> thank you for your willingess to upset some customers and potential customers

Or, thank you for wasting your customers time attempting to figure out why one or more sites aren't responding appropriately on your network while they work on other networks.

Not everyone is clued into EDNS or why archive.is doesn't function with CF.

CF is wasting everyone's time.

>>cortes+4I
Encrypted SNI has been in the works for a long time: https://www.cloudflare.com/en-gb/learning/ssl/what-is-encryp...

>>freedo+Ka
> Cloudflare CEO Matthew Prince answered this directly on HN: >>19828702

Archive.is' explanation is quoted in a comment below:

* >>36971650

>>adql+PF
The concern isn't that the website will know the IP, it's that every single entity on the network between Cloudflare and the authoritative DNS server (most or all of which will not be operated by the website) will know it.

It still may not be the right decision, but it's important to frame the trade-off correctly.

>>electr+yd
Are you talking about Archive.is or Cloudflare?

Answer: "Yes."

>>joseph+xK
>Isn't the Internet full of major websites that need to be able to handle that kind of abuse?

I don't know; since their whole reason for being is to act as (a temporary?) archive of websites that would make them more vulnerable to these attacks than someone like ebay I'd think?

>>nullin+PN
I mean, it's archive.is that is intentionally serving an incorrect DNS record (pointing back at Cloudflare's IPs) when it gets a DNS query that every other resolver handles just fine. They may have legitimate grievances with the info being dropped, but in the end they're the ones breaking their own traffic.

>>freedo+vv
https://app.ahrefs.com/user/forgot-password is the link that was used in the "Tell HN" they posted last time.

Works for me on Linux in Firefox and Chromium.

>>freedo+Ka
Cloudflare is in the wrong here. They want to "protect" people from their own ISPs, from nefarious web and DNS servers that'll "sacrifice the privacy of users" by - you guessed it - doing exactly the same thing themselves. They've given very little reason to trust them, while giving plenty of reasons to think they might be evil (like protecting known spammers / scammers / phishers).

If another company did what Cloudflare does and homogenized tons of requests behind them, you can bet Cloudflare's CAPTCHA systems would block them in a second.

I have zero respect for Cloudflare's inability to answer criticisms about what they do, about their constant deflections from simple, straightforward questions, and the fact that they do to others what they would never accept anyone else doing to them. It's hypocrisy in the service of trying to become a monopoly by re-centralizing the Internet.

Don't believe me? Go ahead and look for examples of Matthew Prince addressing concerns that much of the non-western world can't access Cloudflare fronted sites because of Cloudflare's "reasons". When you don't find any that have more than just vague platitudes and handwaving, imagine how you'd feel if you were one of those multiple billion people.

>>lolind+(OP)
Oh is that why archive.is links on HN will fail for me sometimes?

>>rnd0+QR
But archive.org provides the same service as them, and it doesn't need to do that.

>>johnkl+oS
EDNS is OPTIONAL. archive.is is objectively in the wrong here.

>>ninjag+OI
I'm still giving cf the benefit of the doubt, but I need more research.

I always found the funding of archive.is unknown. Who is behind it and why do they want this info. Why and how they can provide this for free is a big unknown to me.

I'm giving cf the benefit of the doubt against archive. At least I know cloudflare and this would be the first "doubt-moment"...

It's weird that others don't have this issue that much, I would have thought that CDN's would scream from everywhere for years already, if archive.is his statement is "complete".

Edit: cloudflare does not seem to block what's needed though.

>>19828702

> EDNS IP subsets can be used to better geolocate responses for services that use DNS-based load balancing. However, 1.1.1.1 is delivered across Cloudflare’s entire network that today spans 180 cities. We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results.

>>tick_t+dT
EDNS is in part how using one IP address across the world can work without tons of latency for everyone who isn't geographically local. In other words, 1.1.1.1 would be a lot shittier, and the DNS answers they provide would be much less geographically appropriate, if they didn't make use of information about the source of a query.

In other words, Cloudflare expects us to think they're so special that they should get to do what they explicitly don't want others doing.

It's bullshit, particularly for all the people who are victims of Cloudflare's manipulations such as the default use of Cloudflare DNS servers for DNS-over-https on Firefox, which users were never asked about before it was enabled for them (at least in the US).

>>adql+UG
>If your DNS doesn't leak client IP, the browser connecting to server IP will leak it.

The issue isn't leaking your IP to archive.today. It's leaking your IP to any other dns servers along the way

Do you know how recursive DNS works?

>>lolind+(OP)
Nextdns: How we made DNS both fast and private with ECS[0]

Cloudflare sends the closest city from where the request was made which ought to be sufficient to optimize for a cdn I guess? Appears that archive.is doesn't have a locus standii in this debate...

> EDNS IP subsets can be used to better geolocate responses for services that use DNS-based load balancing. However, 1.1.1.1 is delivered across Cloudflare’s entire network that today spans 180 cities. We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results.

0. https://medium.com/nextdns/how-we-made-dns-both-fast-and-pri...

>>ploxil+mC
It's like a cab driver being overly concerned that when I arrive at my destination, they will be able to know who I am just by looking at me.

"Yea.. thanks dude. Just.. drive the car, will ya?"

>>croes+Gw
In addition to what others mentioned, typically EDNS0 edns-client-subnet is truncated before forwarding.

For example in unbound the defaults, when EDNS0 is enabled (disabled by default), are:

  max-client-subnet-ipv6: 56
  max-client-subnet-ipv4: 24

Forwarding can also be conditionally enabled for specific clients, upstream servers, specific zones, etc.

ref: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound...

>>tick_t+dT
"You ask me for an IP address, but you don't ask me with respect".

Respect is optional too. But it is important.

>>lolind+(OP)
Seems like this is no longer relevant. I just tried a DNS lookup via Cloudflare and I got 89.253.237.217.

>>8chanA+X21
I'm seeing that now too. It might have changed in the last 4 hours, or maybe the behavior is cyclical for some reason. I posted this article after running into it repeatedly over the last few weeks since switching to Cloudflare DNS.

I wonder if one party or the other actually made a change in response to this hitting the front page again?

>>supriy+Ne
There’s a fair argument to make against device attention, but casting the exclusion of rooted devices as the goal of the policy rather than a side effect is a bit disingenuous.

>>eastda+Wc
Have you thought about spoofing the EDNS to (a less truncated version of) the nearest Cloudflare edge node's IP? This would be no more of a privacy leak than traffic from your edge to origin servers, while providing generally enough geographic information to keep latency low on the source. This is at the very least compliant with the spirit of the RFC, no?

EDIT: another comment, though somewhat hearsay, suggests that Cloudflare's caching could make this difficult to implement: >>36971650

>>supriy+Ne
> given that you’re trying to lock out Linux users

I had that issue with cloudflare bot captcha when trying to access a web novel website. It would infinitely loop into the "please click the checkmark to confirm you're human" thingamagic.

Initially I thought it was because I was a linux user, but I tried to browse the same website on Google Chrome and the issue went away. They were not discriminating against linux, but against Firefox, which is just as bad, if not worse.

I tried everything on FF: deleting all cookies/storage/history, disabling addons etc. It would still do this on a pristine FF. Ultimately, I admit, not being able to access websites did manage to encourage me to uninstall FF, despite it not being FF's fault, I'm tired of dealing with this kind of cr*p.

>>eastda+Wc
This, and Warp's insistence on passing my origin IP to my destinations, are two things I wish I could customize when using Cloudflare. Before going corporate OpenDNS had something similar, and you could even set up custom behaviors per origin IP (for home and work), which I miss. These are good defaults, but I wish to change the defaults while also allowing particular domains to get my full EDNS info, like particular CDNs.

While I'm here, I'd also like to layer Zero Trust and Warp+ so I can toggle my internal network while staying on Warp+.

Also, the separation in Zero Trust and tunnels between routed DNS names and private IPs is very confusing. Why do I need both?

Custom DNS entries for Zero Trust DNS would be nice, so I could point internal domains to the external routing without having to have public DNS, or even have the domains match.

>>lolind+l41
The behaviour is cyclical. It has been for years, really. It starts resolving every now and then, but rarely for long and I doubt this time is any different.

I don't think archive.is blocks CF based on their IPs, so they must have some heuristic in place to defect bogus EDNS. Perhaps sometimes that heuristics fails?

>>msravi+UX
>Cloudflare sends the closest city from where the request was made which ought to be sufficient to optimize for a cdn I guess? Appears that archive.is doesn't have a locus standii in this debate...

>>36973056

>>all requests for 7 archive.* domains are sent from Symantec USA IP

It might be that the archive.is only lies to that IP, which would explain why many users in this thread say that archive.is does resolve correctly for them with 1.1.1.1

>>adql+4F
> Right but then working slow looks like archive.is issue but is ultimately caused by cloudflare.

Whereas not loading at all looks like archive.is issue but is ultimately caused by archive.is.

> CF is bascically saying "we can know your IP but not the site you are trying to resolve" (that will know your IP anyway once you navigate there).

Not necessarily. For example, the DNS query could go straight to CF while the eventual request to archive.is goes through a proxy or VPN.

>>lolind+0S
That seems like your much stronger older brother hitting you with your own arm and asking "why are you hitting yourself" over and over again though. Cloudflare is standing their ground with their morals, and Archive is standing their ground with their morals. Which one is right is for you to decide.

>>tomp+9B
So how do other companies cope with 1.1.1.1, that run their own CDN? E.g. Facebook? Google?

>>pierat+jL
What advantage? Is there reason to believe that 1.1.1.1 treats CloudFlare's CDN specially and forwards EDNS info or similar?

>>djbusb+BK
Also, looking up DNS in one direction and browsing (say over a VPN) in another. The destination site doesn’t always get the same IP that the DNS request gets.

>>fragme+Pc1
Easy choice: the one that’s protecting me, rather than themselves.

>>jachee+5n1
Without protecting themselves, archive.is wouldn't exist.

And given it is the subnet number being sent, NOT the IP address that people here claim, the privacy concern is fairly low (CF knows your IP address in order to deliver the DNS answer back to you and archive.is knows your IP address when you request resources).

I'll take the performance improvement that EDNS client subnet can provide.

>>yellow+eD
Forgive my naivety, but can you not just ping several servers and return the best? Could you not even guess first and then asynchronously perform this and then re-route or do so on the next user click? I am not an internet person so this may be a very dumb question.

>>meindn+Eh1
They have own Autonomous Systems with own anycast IP addresses.

It is quite expensive for an indie project. Not to mention legal support for compliance in every country of presence. To block 0.x% of visitors coming from CloudFlare is much cheaper for a small project than to go this road.

>>joseph+AS
It’s not the same service, though.

As I understand it, the main reasons people use archive.is over archive.org are because archive.is is more of an immediate proxy/cache/cdn, rather than a long-term archival system that requires a bot to crawl based on schedule parameters. That, and also it includes features to help bypass paywalls by sanitizing some (all?) JavaScript.

On the other hand, Archive.org doesn’t remove or alter scripts or anything like that. And as far as I know you can’t just request them to crawl a site and then browse it there immediately, but you can on Archive.is

>>yellow+eD
You shouldn't assume the origin server is setup for direct traffic - either in terms of load management or security (access to origin might only be available to CDN IPs on their ACL)

>>cmeach+1i1
EDNS absence does affect cheap DNS-based CDNs and has to effect on expensive AnyCast CDNs (one of them is CloudFlare CDN).

>>johnkl+lW
Cloudflare is not special or unique tons of resolvers don't support EDNS. archive.is serves them all the same they only lie in their response if the source is Cloudflare.

It's actually really funny archive.is works from time to time on 1.1.1.1 which I'm assuming is when archive.is hasn't update their IP list / detection logic. I wonder how much time they spend maintaining that if they blocked everyone without EDNS it would be easy but since it's just Cloudflare....

>>therea+YB
I use and pay for nextdns, and am a huge fan.

>>brirec+zx1
> And as far as I know you can’t just request them to crawl a site and then browse it there immediately, but you can on Archive.is

Yes you can. After you put in the URL, you get a button to do so. I just did it for your comment: https://web.archive.org/web/20230802205505/https://news.ycom...

>>nora-p+dw1
> They have own Autonomous Systems with own anycast IP addresses.

> It is quite expensive for an indie project. Not to mention legal support for compliance in every country of presence. To block 0.x% of visitors coming from CloudFlare is much cheaper for a small project than to go this road.

I don't buy this. I'm running my own AS and anycast services for £10pm (my ISP are sponsoring my allocations from RIPE).

Also, it feels like Cloudflare's DNS service is more than just 0.x% of the internet....?

>>kalleb+3h
I have the same issue and just now found it was because of Private Relay. I did not connect the fact that I had no issues accessing archive.is when I had a VPN on - which disables Private Relay. Since they got a location, not my location but a location they were hunky dory....

I saw this post and tried it with and without Private Relay and sure enough, turning it on is the issue. Good to know....

Edit: I updated Private Relay to "Maintain general location" for IP Address Location Settings and archive.is loads fine.

Second Edit: Maybe not, it all works now and I think it is either session or cache. I got to play around with it

>>savefe+eR1
Does enabling a VPN disable private relay or does it tunnel to the VPN through private relay? For some reason I have it in my head that it "double wraps" the traffic but I've never actually confirmed that for a fact.

>>whoopd+3P
I do believe both parties see the other this way.

Archive.is believes that Cloudflare can simply provide the full EDNS data, and they're technically right. But Cloudflare won't budge because they believe this is hostile to user privacy. I haven't heard a counterargument that Cloudflare is wrong about this.

Cloudflare believes that Archive.is can simply live without the EDNS data, and they're technically right. But Archive.is won't budge because they believe it prevents their abuse prevention techniques. They mention that owning their own AS would solve the problem but that's too expensive.[1]

Blame is in the eye of the beholder, but it seems to me that Archive.is should find alternative abuse prevention techniques like other websites do. Cloudflare has an argument based on privacy. Archive.is has an argument based on the proper solution being too expensive. The expense of running an AS is disputed in this HN thread.[2]

[1] >>36971650

[2] >>36977654

>>ninjag+8J
Indeed, they mention that the proper solution is to get their own AS but that it's too expensive (this is what other major websites do). Cloudflare argues that they are protecting user privacy by truncating the EDNS responses, and I believe it's commonly agreed that they're right that this move does so. Archive.is says explicitly that they want this because it's cheaper than an alternative that is available to them. The cost of running an AS is disputed elsewhere in this HN thread. To me it seems clear that Cloudflare has the moral upper hand.

>>dotBen+ty1
> You shouldn't assume the origin server is setup for direct traffic

You don't need to make any such assumption; the above point stands even in the case of simply hitting the "wrong" (i.e. geographically suboptimal) CDN endpoint.

>>electr+IV1
I don't think the "the proper solution" is possible in 2023, and it's not a matter of the size of the money pile.

Google and Facebook were examples of "the proper solutions".

The former is currently inaccessible from China, the latter from Russia.

Their "abuse prevention techniques" have failed.

Sacrificing only Cloudflare DNS users is a much lesser evil compared to outcome of "the proper solutions".

>>godels+aq1
For a site with longer-lived sessions (e.g. video on demand, gaming etc.) which tolerate a bit of startup delay/inefficiency that can definitely be done.

But for a site that essentially tries to serve you static content as quickly as possible and mostly all at once, that would probably introduce more overhead than it's worth.

>>ninjag+sG
This seems trivial to avoid now that this trick is public knowledge.

>>jshier+P91
> Warp's insistence on passing my origin IP to my destinations

IIRC WARP was only able to forward your origin IP to websites using Cloudflare. Then, as of Aug 2022, their FAQ[1] says your origin IP is hidden regardless of which website. Their IPs do reveal your geolocation though.

There was a bug[2] that revealed your IP to select websites; that seems to have been fixed by Nov 2022.

Disclaimer: I’m not knowledgeable enough to test every possible IP leak mechanism (like WebRTC), so I didn’t do that. I’m basically taking their word for it.

[1] https://developers.cloudflare.com/warp-client/known-issues-a...

[2] https://community.cloudflare.com/t/beware-cloudflare-warp-do...

>>stavro+if
Wow. archive.is proposed a perfectly good solution and CF shot it down.

>>lolind+(OP)
https://archive.is/hpKIB

>>lxgr+g82
In the latter case, that seems like it just wouldn't be such a big deal, right? Since the hit would only happen user side and be a small percentage of the user's time on the site?

I get that they don't want to "take the blame" but it seems like both parties are performing reasonable actions that butt heads but that one party resolves that by just not performing the service. To me that feels like a worse outcome than slow service, as it just looks like the site is down.

The next naive question I have is about the response of truncation. I understand Cloudflare is preserving privacy. Archive says that privacy is preserved because they truncate the PII. Is this truncation verifiable in the request from Cloudflare? If not, then this seems like an unreasonable expectation ("just trust me bro"). Again, personally I'd rather have the latency hit and I'm not sure I'm seeing a good argument against this.

>>growse+8O1
£10 GBP a month for a AS with an IPv4+IPv6 subnet + worldwide POPs that allow you to advertise your subnets over BGP? How did you pull that off? I've researched this a while ago and just the IPv4 subnet alone was at least 10x that amount if you are OK with leasing it from less reputable sources.

>>lolind+(OP)
archive.today or archive.is : https://en.wikipedia.org/wiki/Archive.today

archive.today - FAQ : https://archive.md/faq

archive.today - wiki : https://wiki.archiveteam.org/index.php/Archive.today

archiveteam wiki : https://wiki.archiveteam.org/

Tumblr : https://archive-is.tumblr.com/

Twitter : https://twitter.com/archiveis

  archive.today

  archive.ph

  archive.is

  archive.li

  archive.vn

  archive.fo

  archive.md

  archiveiya74codqgiixo33q62qlrqtkgmcitqx5u2oeqnmn5bpcbiyd.onion

Launched May 16, 2012; 11 years ago

>>yellow+hc1
Ok, really? Who is using a proxy for HTTP but not DNS in 2023?

>>lolind+TO
So just don't send ECS on any query except once you get to the public-suffix's NS...

Every element on the network between the user and the website will know it, too.

>>freedo+Ka
Your take is so on the money. I'm a staunch CF advocate, but so much rests on the trust they engender. Their power is a consequence in their presence as a trustable company working across the infrastructure of the Internet. There's so many pathways where the enforcers of good behavior eventually end up as the Pharaohs. I genuinely love Cloudflare while being simultaneously extremely wary of Cloudflare.

>>eastda+Wc
Why don't you just send fraudulent EDNS info?

>>freedo+Ka
It's the opposite for me. Cloudflare presents me with so many infinite "Are you human" check boxes when using Tor that I decided to never pay a single cent to that company unless we found ourselves in a situation were there was no other choice. Thankfully, there almost always choice, with most vendors now offering very good alternatives. I work in government IT procurement.

>>eastda+Wc
> In this particular case we truncate EDNS to protect the privacy of users because we believe 1) privacy is a fundamental human right; and 2) the original sin of the Internet is that IP addresses are too closely tied to the identities of individuals and services.

Your beliefs certainly aren't reflected in how you treat users. It's been a good while since I've been able to visit any cloudflare protected site using Tor. Your broken systems keep presenting me with infinite checkboxes that do absolutely nothing.

If you want to block people who truly believe that privacy is a fundamental human right, at least have the decency to be honest. Tell Tor users that they are permanently blocked so that they don't waste their time clicking on pointless checkboxes.

>>nora-p+zy1
Amazon’s Cloudfront is anything but cheap, but they too are based on DNS based routing.

>>ylere+bp2
I didn't say IPv4 :p

You're right, if you've got a legacy internet requirement then that adds another grand a year to your costs. But I disagree that it's "quite expensive for an indie project", especially one that's so popular it needs to run it's own CDN.

>>ninjag+GH
It's not just about the server you're connecting to knowing your IP, that's a given. With ECS every recursive DNS server in the chain also knows which site you want to visit

>>lolind+(OP)
Great post! I respect people's decisions regarding the focus on privacy but above all I just need the internet to work and this was always a mysterious issue. Finally fixed by switching to Google DNS, which for me personally is not a problem, escaping their net is better than not but not a requirement.

>>akira2+9Y
The problem is that there are more parties than you, your DNS server (the cab driver) and your destination (the website). The cab driver might have to ask a number of other people how to get to the destination.

Your DNS server probably doesn't have the exact record for you at the ready, but it does know another DNS server that gets you closer to an answer. That's how recursive DNS works and it might happen a few times before you actually get to a result. With ECS now every DNS server in this chain knows 12.45.56.x wanted to visit hacker news.

>>godels+hc2
> In the latter case, that seems like it just wouldn't be such a big deal, right? Since the hit would only happen user side and be a small percentage of the user's time on the site?

True, but it's still the difference between being able to load all embedded resources from a server close to the user or potentially having to haul all of that across an ocean, considering TCP congestion window scaling (which is sensitive to round trip times) etc.

All that said, based on a purported comment by the maintainer of archive.is, the aim of their CDN is actually not improving responsivity, but delaying legal/law enforcement responses: >>36971650

> Archive says that privacy is preserved because they truncate the PII.

Personally, I don't have a lot of sympathy for either party here:

I think, especially given the comment linked above, Archive's latency/efficiency concerns are just pretext for quite different concerns of their own (having to deal with law enforcement).

And on the other hand, while Cloudflare's EDNS subnet truncation might help user privacy in a few edge cases (as many have said here, the visited site will get the user's IP as soon as they connect to their servers!), it also makes it that much harder for CDNs other than Cloudflare to efficiently serve content using DNS-based routing and forces them to also use Anycast, which is much harder to do.

>>pigeon+ZN
Right, but it isn't standard yet still.

>>adql+4F
The current situation seems to be that for these users it's not working at all (either timeout or infinite captch loop), and it looks like an archive.is issue, no explanation is given. So avoiding service disruption looking like an archive.is issue does not seem to be the goal.