- cross-posted to:
- hackernews@derp.foo
- cross-posted to:
- hackernews@derp.foo
tl;dr: No. Quite the opposite, actually — Archive.is’s owner is intentionally blocking 1.1.1.1 users.
CloudFlare’s CEO had this to say on HackerNews:
We don’t block archive.is or any other domain via 1.1.1.1. […] Archive.is’s authoritative DNS servers return bad results to 1.1.1.1 when we query them. I’ve proposed we just fix it on our end but our team, quite rightly, said that too would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service. […] The archive.is owner has explained that he returns bad results to us because we don’t pass along the EDNS subnet information. This information leaks information about a requester’s IP and, in turn, sacrifices the privacy of users.
I am mainly making this post so that admins/moderators at BeeHaw will consider using archive.org or ghostarchive.org links instead of archive.today links.
Because anyone using CloudFlare’s DNS for privacy is being denied access to archive.today links.
That’s really weird explanation on part of CF CEO, as just after DNS request you usually connect to the site which address you requested and site gets a lot more details including full IP address anyway.
https://news.ycombinator.com/item?id=19828702
Here’s the full comment on HackerNews, the article quoting him only had the snippet. The larger comment makes more sense. Emphasis mine.
So it’s really more about metadata related to the IP, like geolocation.
Interesting, thanks
Couldn’t they just put that as the EDNS?
That . . . really looks like a game of DNS chicken. In Cloudflare’s place, I’d just shrug, provide garbage EDNS data that meets the technical requirements (probably pointing at archive.is’s own location), and move on, but they’re apparently too wrapped up in their principles to blink first.
This is all disappointing, to say the least, but I’m convinced. I won’t be using archive.today anymore.
A DNS query is not inherently followed by a connection to the server.
It almost always is.
And the 5% of the time it isn’t, is what is being talked about here.
And? My DNS provider shouldn’t be leaking my information even if I immediately use the info they gave me to connect to the site.
To be fair, they use a dns-based load balancer / cdn, so they want to know your ip address so their dns server can geolocate you and reply with the nearest server’s IP address. I guess this is probably easier to setup or less costly than using anycast like most cdn services.
Wouldn’t it make a difference in cases where the nameserver and host are not the same entity?