this post was submitted on 30 Aug 2023
259 points (100.0% liked)

Technology

37737 readers
352 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
 

tl;dr: No. Quite the opposite, actually — Archive.is’s owner is intentionally blocking 1.1.1.1 users.

CloudFlare's CEO had this to say on HackerNews:

We don’t block archive.is or any other domain via 1.1.1.1. [...] Archive.is’s authoritative DNS servers return bad results to 1.1.1.1 when we query them. I’ve proposed we just fix it on our end but our team, quite rightly, said that too would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service. [...] The archive.is owner has explained that he returns bad results to us because we don’t pass along the EDNS subnet information. This information leaks information about a requester’s IP and, in turn, sacrifices the privacy of users.

I am mainly making this post so that admins/moderators at BeeHaw will consider using archive.org or ghostarchive.org links instead of archive.today links.

Because anyone using CloudFlare's DNS for privacy is being denied access to archive.today links.

https://ghostarchive.org/archive/PmSkp

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 84 points 1 year ago

Archive.is used to block people with Finnish IPs too, allegedly because of personal immigration issues.

I don't get the impression it's something anyone should ever rely on.

[–] [email protected] 56 points 1 year ago (17 children)

Because anyone using CloudFlare’s DNS for privacy is being denied access to archive.today links.

Yes, which makes Archive.is a terrible service... Because they don't get super fine details of where your connection is originating from they poison the DNS response they give cloudflare. Any site that weaponizes DNS then blames me for choosing to not allow them to do so... Fuck them.

load more comments (17 replies)
[–] [email protected] 49 points 1 year ago (3 children)

Time to add 1.1.1.1 to my list of DNS servers to use

[–] [email protected] 37 points 1 year ago (3 children)

In case you don't know, Cloudflare already controls a massive amount of websites, have access to their unencrypted traffic and are making the web inaccessible for people who use tor or noscript. They are a threat to the open web.

[–] [email protected] 15 points 1 year ago (1 children)

CloudFlare offers website admins the ability to have their sites directly available to Tor users but they have to activate the feature: https://developers.cloudflare.com/support/firewall/learn-more/understanding-cloudflare-tor-support-and-onion-routing/

load more comments (1 replies)
[–] [email protected] 13 points 1 year ago (4 children)

Do you have an alternative that isn't google? Because google's DNS privacy policy is much worse.

I don't like cloudflare, but their DNS terms are relatively good, and they have my info anyway because as you say, they're everywhere. I don't think my not using their DNS will make any appreciable mark on their business, either.

[–] [email protected] 8 points 1 year ago (1 children)

Quad9, DNS.Watch, OpenDNS

Three good alternatives.

[–] [email protected] 6 points 1 year ago (3 children)

Also NextDNS is great because you can change every setting (and the free tier offers you way more usage than you will ever use)

load more comments (3 replies)
load more comments (2 replies)
[–] [email protected] 6 points 1 year ago

I use NoScript and CloudFlare DNS works just fine for me. That said, I'm looking to switch due to privacy concerns after reading this thread.

[–] [email protected] 14 points 1 year ago

Don’t forget the backup 1.0.0.1

[–] [email protected] 4 points 1 year ago (4 children)

what else is on your list?

[–] [email protected] 14 points 1 year ago* (last edited 1 year ago) (4 children)
load more comments (4 replies)
[–] [email protected] 6 points 1 year ago (3 children)

I do CloudFlare first and Google as backup.

[–] [email protected] 23 points 1 year ago

So privacy first first and privacy last second, interesting combo

[–] [email protected] 7 points 1 year ago

yeah 1.1.1.1 then 8.8.8.8

[–] [email protected] 5 points 1 year ago

LOL that's not a bad way of explaining it. My reasoning is that I like CloudFlare, so I'll default to them, but if CF goes down I want DNS to continue working. I figure Google is one of the servers that's LEAST likely to go down.

load more comments (1 replies)
[–] [email protected] 15 points 1 year ago

This was driving me crazy.... at least I know why now.

[–] [email protected] 13 points 1 year ago (4 children)

That's really weird explanation on part of CF CEO, as just after DNS request you usually connect to the site which address you requested and site gets a lot more details including full IP address anyway.

[–] [email protected] 57 points 1 year ago* (last edited 1 year ago) (4 children)

https://news.ycombinator.com/item?id=19828702

Here's the full comment on HackerNews, the article quoting him only had the snippet. The larger comment makes more sense. Emphasis mine.

We don’t block archive.is or any other domain via 1.1.1.1. Doing so, we believe, would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service.

Archive.is’s authoritative DNS servers return bad results to 1.1.1.1 when we query them. I’ve proposed we just fix it on our end but our team, quite rightly, said that too would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service.

The archive.is owner has explained that he returns bad results to us because we don’t pass along the EDNS subnet information. This information leaks information about a requester’s IP and, in turn, sacrifices the privacy of users. This is especially problematic as we work to encrypt more DNS traffic since the request from Resolver to Authoritative DNS is typically unencrypted. We’re aware of real world examples where nationstate actors have monitored EDNS subnet information to track individuals, which was part of the motivation for the privacy and security policies of 1.1.1.1.

EDNS IP subsets can be used to better geolocate responses for services that use DNS-based load balancing. However, 1.1.1.1 is delivered across Cloudflare’s entire network that today spans 180 cities. We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results. For a relatively small operator like archive.is, there would be no loss in geo load balancing fidelity relying on the location of the Cloudflare PoP in lieu of EDNS IP subnets.

We are working with the small number of networks with a higher network/ISP density than Cloudflare (e.g., Netflix, Facebook, Google/YouTube) to come up with an EDNS IP Subnet alternative that gets them the information they need for geolocation targeting without risking user privacy and security. Those conversations have been productive and are ongoing. If archive.is has suggestions along these lines, we’d be happy to consider them.

So it's really more about metadata related to the IP, like geolocation.

[–] [email protected] 5 points 1 year ago

Interesting, thanks

[–] [email protected] 4 points 1 year ago

We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results.

Couldn't they just put that as the EDNS?

load more comments (2 replies)
[–] [email protected] 16 points 1 year ago (2 children)

A DNS query is not inherently followed by a connection to the server.

load more comments (2 replies)
[–] flumph 12 points 1 year ago (1 children)

And? My DNS provider shouldn't be leaking my information even if I immediately use the info they gave me to connect to the site.

[–] [email protected] 5 points 1 year ago

To be fair, they use a dns-based load balancer / cdn, so they want to know your ip address so their dns server can geolocate you and reply with the nearest server's IP address. I guess this is probably easier to setup or less costly than using anycast like most cdn services.

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago)

Wouldn't it make a difference in cases where the nameserver and host are not the same entity?

[–] [email protected] 10 points 1 year ago (2 children)

Test your DNS with some benchmark. I have learned this the hardway, when I swapped to for more private quad9 my internet became sometimes borderline unusable. If you are for some reason on windows you can use this one. For me openDNS was consistently the fastest to respond.

[–] [email protected] 6 points 1 year ago

Thanks for sharing! The last time I picked nameservers was quite a while ago and I just went with fastest ping times :p

OpenDNS turned out to be the fastest for me.

load more comments (1 replies)
[–] [email protected] 4 points 1 year ago (1 children)

Honestly I am sick and tired of people being shit, nearly every week we find out that someone that used to be respected and appreciated is actually a shit person, and it's exhausting,

load more comments (1 replies)
load more comments
view more: next ›