Does Cloudflare's 1.1.1.1 DNS Block Archive.is?

jherazob , 9 months ago

Honestly I am sick and tired of people being shit, nearly every week we find out that someone that used to be respected and appreciated is actually a shit person, and it’s exhausting,

Dark_Arc , 9 months ago

I mean, this is the issue with purity tests. EVERYBODY, even you, even me, has something about them or some take that a large number of people will be offended by.

(But yeah, use something else in this case because why wouldn’t you)

Saik0Shinigami , 9 months ago

Because anyone using CloudFlare’s DNS for privacy is being denied access to archive.today links.

Yes, which makes Archive.is a terrible service… Because they don’t get super fine details of where your connection is originating from they poison the DNS response they give cloudflare. Any site that weaponizes DNS then blames me for choosing to not allow them to do so… Fuck them.

Pleonasm , 9 months ago

It might be terrible for you but it’s very handy for the rest of us.

If it’s so bad, maybe just pay to bypass all the paywalls that the site removes from your way. Having your local ISPs details sent through is a small price to pay for the convenience.

LinkOpensChest_wav , 9 months ago

In what way is it “very handy for the rest of us”?

Saik0Shinigami , 9 months ago

If it’s so bad, maybe just pay to bypass all the paywalls that the site removes from your way

Or I can just use Firefox reader mode… which works for like 90% of the sites that are paywalled that I’ve ever visited.

But honestly I don’t care what you say with an attitude like that. People who give up security for some fake semblance of “convenience” make the internet worse for everyone. I’m not sure how a company/website violating your rights is “handy” for you… but you do you.

Pleonasm , 9 months ago

Not really a paywall then, is it? I don’t know why you think it’s fake, it’s a very real convenience.

Violating my rights ? Is geolocating your users violating their rights now?

Saik0Shinigami , 9 months ago

Not really a paywall then, is it?

Well no shit… It wasn’t a real paywall if archive.org or archive.is can bypass either no? What’s your point with this statement?

I don’t know why you think it’s fake, it’s a very real convenience.

What/when did I say anything was fake? See above question… I said they’re a terrible service. Not that they’re fake. I’m telling you that it’s not any more convenient than the reader view button and that doesn’t give your data to some shady third party that doesn’t NEED your data… even though they’ll apparently go to war with one of the biggest transits on the internet over it to get it.

s geolocating your users violating their rights now?

Yes… attempting to punish users who don’t want to be geolocated… or FORCING users to geolocate would be collecting personal data. That is a literal violation of rights in many countries, specifically the EU… and California. So yes.

Are we done?

Pleonasm , 9 months ago

Archive.is can and does bypass real paywalls. That’s why it’s useful.

You literally called it a fake convenience in your previous comment. Do you have the memory of a goldfish?

Geolocation of users of course does not violate GDPR, don’t be ridiculous.

You have no idea what you’re talking about and clearly don’t understand the issue at hand, so yep, we’re done.

Saik0Shinigami , 9 months ago

Archive.is can and does bypass real paywalls. That’s why it’s useful.

Firefox reader mode does as well…

You literally called it a fake convenience in your previous comment.

Yes… so less button presses and faffing with bullshit just using the built in feature on firefox… See how archive.is isn’t that convenient at all?

Do you have the memory of a goldfish?

You seem to have the intelligence of one. You just said “fake”, assuming that someone would understand what the hell you’re talking about… When you communicate poorly, don’t be mad when people don’t understand you.

Geolocation of users of course does not violate GDPR, don’t be ridiculous.

They’re not just using geolocation and throwing the data away after they’re done. otherwise they wouldn’t be fighting cloudflare. Storing that data for whatever other purpose they could have with it would absolutely be a violation of GDPR and similar laws. You’re the one being ridiculous here.

You have no idea what you’re talking about and clearly don’t understand the issue at hand, so yep, we’re done.

I’m literally a CISO… It’s my job to make these kinds of decisions. So jokes on you. My company would fail compliance audits if we did dumb shit like this.

Pleonasm , 9 months ago

JavaScript paywalls are not real paywalls. So no, Firefox can’t bypass real paywalls.

Unlucky for your company to have a CISO with such poor reading comprehension.

Saik0Shinigami , 9 months ago

JavaScript paywalls are not real paywalls. So no, Firefox can’t bypass real paywalls.

Alright… Find me a page where archive.is can bypass the paywall… that Firefox cannot.

Unlucky for your company to have a CISO with such poor reading comprehension.

I’m going to refer you to my previous statement

You just said “real paywalls”, assuming that someone would understand what the hell you’re talking about… When you communicate poorly, don’t be mad when people don’t understand you.

You didn’t mention “Only Javascript” until just now… And for some reason you believe that those are fake? You’ve got some weird definitions here.

1984 , 9 months ago

What, stop using Chrome?? Unthinkable… Google says it’s the best and we can trust them. They want what’s best for us. /s

jarfil , 9 months ago (edited 9 months ago)

it’s very handy for the rest of us.

How is it more handy than Archive.org? You can submit URLs for archival just the same, and it doesn’t require user tracking.

I’ve used Archive.is before, but seeing this I won’t anymore.

EDIT: after some digging (see comment thread) and further consideration… I’m not sure anymore.

Pleonasm , 9 months ago

It’s way faster for one. It actively scrapes articles from behind paywalls, using a bank of credentials it has. Archive.org respects robots.txt and will take down copyrighted material on request. Archive.is doesn’t do any of that.

I would view it as complementary to archive.org. it’s more like sci-hub to me. A useful tool, run by one person who likes the idea of providing such a service.

What exactly do you think is being tracked by your ECS being sent along with DNS requests? All it means is that archive.is can’t load balance properly because they don’t know what their nearest server to your location is. If you’re so privacy conscious that leaking a portion of your IP to a DNS provider, then hardcode archive.is IPs into your hosts file or use a VPN. Not that your problem can really be with archive.is, because you’re visiting the site anyway, giving them your full IP.

It just seems like such a non issue to me.

jarfil , 9 months ago (edited 9 months ago)

actively scrapes articles from behind paywalls, using a bank of credentials it has […] more like sci-hub

I see… not sure I approve, but I see.

use a VPN

That’s precisely one of the issues with EDNS, already described 10 years ago:

• DNS leaks when using a VPN
• DNS Cache timing attacks
• Network scanning
• DDoS amplification
• Cache pollution

(00f.net/2013/08/07/edns-client-subnet/)

From the CEO’s reply on YC:

We’re aware of real world examples where nationstate actors have monitored EDNS subnet information to track individuals, which was part of the motivation for the privacy and security policies of 1.1.1.1.

(news.ycombinator.com/item?id=19828702)

Seems like dropping the originating address is a reasonable action on their part.

Only thing they could possibly do, would be to replace the originating address with the address of the particular DNS resolver in their network, which they said they had 180 of… but that would still reveal your geographic area in case of a VPN leak.

On the other hand, if you don’t care about any of that, why not use Google’s 4.4.4.4?

Pleonasm , 9 months ago

The reason I’m saying use a VPN is because you’re presumably visiting the site anyway, so leaking your full IP to them anyway. You can route your DNS lookups through what server you like, obviously. (Again, the privacy issue would be not that you’re leaking part of your IP to archive.is, but to everyone in the chain of recursive DNS resolvers). You could use TOR too, I think even in this thread someone posted a TOR url for it.

Cloudflare do make the DNS queries from 1 of their 180 locations, so there is some information being passed through about where the request is coming from in terms of load balancing.

I’m not arguing that Cloudflare are doing the wrong thing by omitting ECS data in general. Just that site owners have a right to do as they like WRT people using their website and if that includes blocking Cloudflare, so be it. What he is doing is not legal (or at least grey area) in many countries so anything that makes his life easier is understandable IMO.

Also, ECS leaking does not seem like a real concern for the vast majority of people surfing the net.

Lastly I don’t think Google own 4.4.4.4, did you mean 8.8.4.4?

jarfil , 9 months ago

I know what you meant with the VPN. Just saying that CloudFlare is using the VPN leakage case to justify not supporting ECS. As for the rest of the problems, DNS servers that suport ECS, hopefully have already implemented countermeasures.

Indeed Archive.is is free to block whoever he wants… he’s just using a weird argument, particularly when there is an onion address for it, which is kind of the opposite of a CDN… or I don’t understand his side completely. It feels to me like both sides are sticking to their stances, when either or both could fix the issue without much of a problem.

I don’t think Google own 4.4.4.4, did you mean 8.8.4.4?

Damn. Yeah, I meant 8.8.8.8 and 8.8.4.4. Brain fart.

Pleonasm , 9 months ago

There’s a comment on one of the HN threads that gives a little more insight - basically it helps him combat abuse by routing requests to the closest server outside of the requesting ips area: news.ycombinator.com/item?id=36971650

Not sure how that argument really holds up to scrutiny but it’s something.

jarfil , 9 months ago

DNS server returns not the closest IP to the request origin but the closest IP abroad, so any takedown procedure would require bureaucratic procedures so I am getting notified notified and have time to react.

Oh, so he’s not using a CDN, but a sort of “anti”-CDN.

attacks where people upload illegal content

I offered them to proxy those CloudFlare DNS’s users via their CDN but they rejected.

Wonder why 😆

Yes, that holds up to scrutiny pretty well.

After “I’ve proposed we just fix it on our end …” all requests for 7 archive.* domains are sent from Symantec USA IP

…and that’s a dick move on part of CloudFlare.

throws_lemy , 9 months ago

I’m using dnscrypt-proxy and I can open archive.is or archive.today perfectly

gregorjan , 9 months ago

Test your DNS with some benchmark. I have learned this the hardway, when I swapped to for more private quad9 my internet became sometimes borderline unusable. If you are for some reason on windows you can use this one. For me openDNS was consistently the fastest to respond.

dingus OP , 9 months ago

Nice tool! Thanks.

marco , 9 months ago

Thanks for sharing! The last time I picked nameservers was quite a while ago and I just went with fastest ping times :p

OpenDNS turned out to be the fastest for me.

koper , 9 months ago

Good. Hopefully this will discourage people from using Clownflare’s DNS.

dingus OP , 9 months ago

Clownflare’s DNS.

Such a strong argument for why people shouldn’t. /s

Lowbird , 9 months ago

As opposed to… ?

I genuinely couldn’t find a better option when I looked.

Psythik , 9 months ago

Wondering the same thing. CloudFlare DNS is so freaking fast.

But at the same time I didn’t think of the privacy aspect so I want out. Is OpenDNS still good? How’s the speed?

dingus OP , 9 months ago (edited 9 months ago)

It’s frustrating when people do that because there’s definitely valid critiques of CloudFlare, but that other guy calling them Clownflare and then not coming back to explain why is pretty juvenile and unhelpful (luckily another user came with a more realistic critique). Like, if it’s so bad, please offer alternatives and reasoning. I’m glad you liked Quad9 that I referenced elsewhere in the thread.

Psythik , 9 months ago

When did I call it “ClownFlare”? Did you reply to the right person?

dingus OP , 9 months ago

Nope, I meant to reply to you, but apparently didn’t make it clear to you that I was actually referring to the person above the person you were responding to. I changed the wording to reflect this a little bit. I’m sorry for the confusion, that’s my bad. You’re swell and have been. The other fella came and was rude about CloudFlare and didn’t offer reasons or alternatives. Once again, sorry.

pearsche , 9 months ago

redditbrains

snowe , 9 months ago

… did you read the same article the rest of us did?

marco , 9 months ago

This was driving me crazy… at least I know why now.

TheHalc , 9 months ago

Archive.is used to block people with Finnish IPs too, allegedly because of personal immigration issues.

I don’t get the impression it’s something anyone should ever rely on.

skullgiver , 9 months ago (edited 6 months ago)

deleted_by_author

dingus OP , 9 months ago

I should write an addon or something to automate this at some point.

You should! That’d be killer. Also, good archive suggestion, thanks.

skullgiver , 9 months ago (edited 6 months ago)

deleted_by_author

yukichigai , 9 months ago

Dunno about other browsers, but if you can get Firefox to view .onion links as a separate Application or File Type you should be able to give it a separate associated action, then just select Tor browser as the handler.

Problem is I'm not sure where Firefox stores the File Types list (it's not in about:config) and you can't just add to it via the UI either.

JoeCoT , 9 months ago

My solution is more complicated but doesn't require switching browsers

1. I run a tor client on my home server in docker, the same place I keep my vpn access, torrenting, etc
2. I run a socks proxy on my home server, that sends all requests through the tor network (and a different socks proxy for when I want to use the VPN)
3. On my desktop and laptop, I use the FoxyProxy firefox extension (SwitchyOmega on Chrome). I setup the socks proxy (proxies) on it, using URL patterns.
4. When I go to a .onion link, FoxyProxy uses the pattern, and sends the traffic over my tor socks proxy

jarfil , 9 months ago

Beware that most of the fingerprinting happens through JavaScript in the browser, so accessing websites over Tor using the same browser, still allows to match the access to your browser’s fingerprint. That’s why the Tor Browser bundle tries to minimize the ability of websites to fingerprint it.

Additionally, running JavaScript from .onion sites, is kind of like playing the Russian roulette.

LovelyCupcake , 9 months ago

Time to add 1.1.1.1 to my list of DNS servers to use

mateomaui , 9 months ago

Don’t forget the backup 1.0.0.1

metaStatic , 9 months ago

what else is on your list?

PeachMan , 9 months ago

I do CloudFlare first and Google as backup.

red , 9 months ago

So privacy first first and privacy last second, interesting combo

Bishma , 9 months ago

yeah 1.1.1.1 then 8.8.8.8

PeachMan , 9 months ago

LOL that’s not a bad way of explaining it. My reasoning is that I like CloudFlare, so I’ll default to them, but if CF goes down I want DNS to continue working. I figure Google is one of the servers that’s LEAST likely to go down.

dingus OP , 9 months ago (edited 9 months ago)

Quad9 is pretty good, too.

www.quad9.net

www.quad9.net/about/transparency-report

9.9.9.9

Psythik , 9 months ago

Do they have servers in the US?

dingus OP , 9 months ago

www.quad9.net/service/locations/

Looks like they do.

Psythik , 9 months ago

Sweet. Just changed my servers now.

user224 , 9 months ago

I used to use Cloudflare and recently switched to NextDNS for more control.

lemmyvore , 9 months ago

european-alternatives.eu/category/public-dns

koper , 9 months ago

In case you don’t know, Cloudflare already controls a massive amount of websites, have access to their unencrypted traffic and are making the web inaccessible for people who use tor or noscript. They are a threat to the open web.

Psythik , 9 months ago

I use NoScript and CloudFlare DNS works just fine for me. That said, I’m looking to switch due to privacy concerns after reading this thread.

Lowbird , 9 months ago

Do you have an alternative that isn’t google? Because google’s DNS privacy policy is much worse.

I don’t like cloudflare, but their DNS terms are relatively good, and they have my info anyway because as you say, they’re everywhere. I don’t think my not using their DNS will make any appreciable mark on their business, either.

feyo , 9 months ago

Quad9, DNS.Watch, OpenDNS

Three good alternatives.

normal_user , 9 months ago

Also NextDNS is great because you can change every setting (and the free tier offers you way more usage than you will ever use)

notfromhere , 9 months ago

I maxed out the free tier in my first month somehow lol… $20/yr isn’t a bad deal for essentially pihole everywhere.

Saik0Shinigami , 9 months ago

I mean a $35 pi and wireguard [I’m fond of Zerotier personally] can do the same thing… indefinitely… $35/forever > $20/yr :)

notfromhere , 9 months ago

Yea that’s on the list for some point. I have a small k3s cluster running on some Pis and experimenting with tailscale.

redcalcium , 9 months ago

Check out this list: adguard-dns.io/kb/general/dns-providers/

raptir , 9 months ago

Nextdns is great.

magmaus3 , 9 months ago

OpenNIC is an interesting option, if you’re okay with community-hosted servers.

sdoorex , 9 months ago

CloudFlare offers website admins the ability to have their sites directly available to Tor users but they have to activate the feature: …cloudflare.com/…/understanding-cloudflare-tor-su…

WindFreaker , 9 months ago

Strange, Onion routing was already enabled for my domains. Sounds like at some point it became an opt-out feature, not opt-in.

DzikiMarian , 9 months ago

That’s really weird explanation on part of CF CEO, as just after DNS request you usually connect to the site which address you requested and site gets a lot more details including full IP address anyway.

dingus OP , 9 months ago (edited 9 months ago)

news.ycombinator.com/item?id=19828702

Here’s the full comment on HackerNews, the article quoting him only had the snippet. The larger comment makes more sense. Emphasis mine.

We don’t block archive.is or any other domain via 1.1.1.1. Doing so, we believe, would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service.

Archive.is’s authoritative DNS servers return bad results to 1.1.1.1 when we query them. I’ve proposed we just fix it on our end but our team, quite rightly, said that too would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service.

The archive.is owner has explained that he returns bad results to us because we don’t pass along the EDNS subnet information. This information leaks information about a requester’s IP and, in turn, sacrifices the privacy of users. This is especially problematic as we work to encrypt more DNS traffic since the request from Resolver to Authoritative DNS is typically unencrypted. We’re aware of real world examples where nationstate actors have monitored EDNS subnet information to track individuals, which was part of the motivation for the privacy and security policies of 1.1.1.1.

EDNS IP subsets can be used to better geolocate responses for services that use DNS-based load balancing. However, 1.1.1.1 is delivered across Cloudflare’s entire network that today spans 180 cities. We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results. For a relatively small operator like archive.is, there would be no loss in geo load balancing fidelity relying on the location of the Cloudflare PoP in lieu of EDNS IP subnets.

We are working with the small number of networks with a higher network/ISP density than Cloudflare (e.g., Netflix, Facebook, Google/YouTube) to come up with an EDNS IP Subnet alternative that gets them the information they need for geolocation targeting without risking user privacy and security. Those conversations have been productive and are ongoing. If archive.is has suggestions along these lines, we’d be happy to consider them.

So it’s really more about metadata related to the IP, like geolocation.

DzikiMarian , 9 months ago

Interesting, thanks

nyan , 9 months ago

That . . . really looks like a game of DNS chicken. In Cloudflare’s place, I’d just shrug, provide garbage EDNS data that meets the technical requirements (probably pointing at archive.is’s own location), and move on, but they’re apparently too wrapped up in their principles to blink first.

LinkOpensChest_wav , 9 months ago

This is all disappointing, to say the least, but I’m convinced. I won’t be using archive.today anymore.

jarfil , 9 months ago

We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results.

Couldn’t they just put that as the EDNS?

KairuByte , 9 months ago

A DNS query is not inherently followed by a connection to the server.

SaltySalamander , 9 months ago

It almost always is.

KairuByte , 9 months ago

And the 5% of the time it isn’t, is what is being talked about here.

nuke , 9 months ago

Wouldn’t it make a difference in cases where the nameserver and host are not the same entity?

flumph , 9 months ago

And? My DNS provider shouldn’t be leaking my information even if I immediately use the info they gave me to connect to the site.

redcalcium , 9 months ago

To be fair, they use a dns-based load balancer / cdn, so they want to know your ip address so their dns server can geolocate you and reply with the nearest server’s IP address. I guess this is probably easier to setup or less costly than using anycast like most cdn services.