[ironjunkie]

For performance and privacy reasons, you should use Cloudflare DNS. Please don't trust blindly Google when they say they don't use your DNS request data. It is their core business model to get their hand on all the data they can.

https://blog.cloudflare.com/announcing-1111/

[grier]

So it's fine to trust cloudflare "blindly" with the same data?

(I agree that for privacy DNS over https is good, but the resolver still sees your dns queries)

[chewz]

Don't trust any corporation. It is unbelivable simple to install dnscrypt-proxy 2 [1] and use DNS crypt.

Dnscrypt-proxy spreads your queries across multiple servers and keeps them private.

If you can afford consider running dnscrypt server yourself. [2]

[1] https://github.com/jedisct1/dnscrypt-proxy

[2] https://github.com/jedisct1/dnscrypt-proxy/wiki/How-to-setup...

[0xb100db1ade]

Cloudflare's 1.1.1.1 DNS blocks https://archive.is

[caymanjim]

I didn't believe they'd do something like this, so I went to check and prove you wrong, but sure enough, it doesn't resolve. According to this post on CloudFare's support site, it's not their fault: https://community.cloudflare.com/t/archive-is-error-1001/182....

> This is unfortunately something we can’t do something about. Nameservers responsible for archive.is (ben.archive.is, anna.archive.is) are returning answers tailored to the IP address of the requestor.

[shakna]

And archive.is blames CloudFlare:

> it is because of 1.1.1.1

> try 8.8.8.8

But compare that answer, to the continued technical breakdowns given by CloudFlare as they tried to work out why archive.is is returning an inaccessible IP based an request IP.

CloudFlare attempted to determine why there was a problem, archive.is shrugged it off.

[twhb]

I'm guessing archive.is has misidentified DNS requests from 1.1.1.1 as a DDoS, so is resolving them to the requester's own IP address in an attempt to get them to DDoS themselves.

"returning answers tailored to the IP address of the requestor" is normal and correct behavior for most large websites, the problem is that one of those IP addresses is wrong. Specifically, when the requester is CloudFlare, archive.is is returning a CloudFlare internal IP address instead of their own. I'm guessing where they got that IP address is that it's the requester, and where they got mixed up is that virtually all high-volume DNS requesters that appear overnight are DDoS attacks.

[nmjohn]

I did the same research because I too found it hard to believe and it's still not clear to me how the problem is not on cloudflare. They claim the upstream is misconfigured, but how then does every single other DNS provider manage to handle it correctly?

Or are they claiming archive.is is explicitly blacklisting the cloudflare IP range? If that is the case it seems odd they are claiming the upstream is misconfigured as opposed to explicitly blocking them. Something does not add up correctly.

[JdeBP]

> how then does every single other DNS provider manage to handle it correctly?

They do not handle it at all. Remember that the responses are tailored to the IP address of the client, i.e. Cloudflare's back end. It is not Cloudflare that is doing that tailoring. So the question that you should be asking is how come archive.is did that tailoring for (as you claim at any rate, although I suspect that no-one has exhaustively tested this before claiming it) every single other DNS provider and not Cloudflare.

Indeed, if you read what you replied to, you'll find that it's the inverse of that situation. archive.is answers are explicitly tailored by archive.is for whenever it is, specifically, Cloudflare asking. So the question that you should be asking is how come archive.is is saying that it is on a Cloudflare-hosted CDN ("cdn-wo-ecs.archive.is", mapped to Cloudflare hosting IP addresses), but only saying that when it is Cloudflare asking.

Once you ask that latter question, you'll get to the meat of the issue, which is that archive.is demands that Cloudflare et al. pass on (most of) your IP address to them, and returns fake name-to-address mappings for Cloudflare and indeed anyone else who says that (for privacy or otherwise) they are not going to pass on that kind of ultimate client identifying information to archive.is nor to anyone else.

(It's archive.is tailoring its response where there is no EDNS0 client subnet, a.k.a. ECS, information, for the technical. That's what the "wo-ecs" means.)

[meta_AU]

Sometimes 1.1.1.1 is used as a testing value, and can get blocked for reasons. CloudFlare is getting a huge amount of spam IP traffic to 1.1.1.1 from misconfigured equipment, it wouldn't be too surprising if some upstreams have firewalled valid IPs.

[nmjohn]

When cloudflare resolves addresses, the DNS request is not coming from 1.1.1.1, it's coming from the IP address of the server actually making the request. You can confirm this by looking at the results of a VPN DNS leak test [0] and seeing the IPs being used to resolve the addresses do come from cloudflare, but are not 1.1.1.1

[0]: https://www.dnsleaktest.com/

[solarkraft]

Oh, amazing. Thanks, I thought the site was down.

[jasonkostempski]

Why?

[rascul]

It's not clear to me that I can trust Cloudflare, either.

[ironjunkie]

I will take the least of two evils.

Look at the incentive and core business of the two companies.

Cloudflare is not in the business of mining as much data about you as possible. They don't sell ads and don't make money trying to make you fit into a profile. They have zero incentive to keep an history of all your DNS requests.

Google on the other hand, claim they don't do it but it will make complete sense for their business to do it.

[anothergoogler]

Given their security track record, I wouldn't trust Cloudflare with any of my data, regardless of what they plan or don't plan on doing with it.

[noncoml]

> Given their security track record, I wouldn't trust Cloudflare with any of my data, regardless of what they plan or don't plan on doing with it.

Your username is anothergoogler; do you work for Google?

[anothergoogler]

No, but I do search using Google.

[noncoml]

Oh, ok. Sorry. Usually it Google employees that call themselves "Googlers"

[LambdaComplex]

Cloudflare manipulated DNS entries in the recent past[0], so I don't think I want to use them.

0. https://twitter.com/eastdakota/status/1024018061311897600

[fickyrigil]

So blindly trust Cloudflare instead of Google?

[tills13]

This is nothing more than pure conjecture...

[zavi]

Asserted without evidence, dismissed without evidence.

[gonyea]

Baseless fear mongering from a concern troll.