[jrwr]

This has come up a few times. Mostly the owner is set in their ways and are mad at CF for not providing the DNS flags that allow outside CDNs to figure out what IP you are closest to. From a 2019 thread about this:

The archive.is owner has explained that he returns bad results to us because we don’t pass along the EDNS subnet information. This information leaks information about a requester’s IP and, in turn, sacrifices the privacy of users. This is especially problematic as we work to encrypt more DNS traffic since the request from Resolver to Authoritative DNS is typically unencrypted. We’re aware of real world examples where nationstate actors have monitored EDNS subnet information to track individuals, which was part of the motivation for the privacy and security policies of 1.1.1.1.

https://news.ycombinator.com/item?id=19828317

[saurik]

Can you explain the attack a bit more? One would (naively) expect that the process of the user connecting to my web server would expose their IP address (associated with their intent) to many more relevant actors (including "nationstate actors") than Cloudflare connecting to my DNS server... is the issue that the specific nationstate actor you have been concerned with is explicitly able to target and achieve surveillance on Cloudflare's outgoing traffic, but is expected to not be able to surveil the incoming traffic to my infrastructure on the other side (which sees the user's IP address way)?

[ViViDboarder]

Because DNS is still largely unencrypted. Nation state actors can read that information and map who is making requests for what domains.

It’s not so much a concern of the site host from getting the users IP, because the user is presumably going to visit it. This is an issue with Archive.is because they host their own DNS, not their web server.

[saurik]

I am sorry, can you explain this to me step by step? My computer makes a DNS request through Cloudflare, which forwards a request to archive.is's DNS server which is apparently going out of its way to carefully prevent anyone from figuring out that I wanted to access archive.is... and then my computer ruins all of that by making a direct connection to archive.is's web server. If you are a "nationstate actor" able to randomly sniff traffic in various places, the DNS request doesn't seem to add any value over the web request. What is the actual attack? Be more specific.

[kenmacd]

The IP you connect to could host 1000 sites. Leaking which one you're actually accessing could be important.

[fragmede]

The "attack" is bad implementations revealing the whole IP, leaking that PII, to anybody watching DNS, instead of the query being masked to a /20, or some other subnet.

Not all VPNs route DNS queries over the VPN for performance reasons. Thus, knowing that a specific IP is visiting dissident net when that cannot be directly observed is very useful.

[saurik]

Your "VPN fails to prevent my ISP from seeing the DNS request" attack is already prevented by using 1.1.1.1 with DNS-over-HTTPS even if Cloudflare gives your IP address, unencrypted, to the upstream DNS server, as the only party in question there is your local ISP. I am asking after some detail on the specific attack that Cloudflare is claiming they caught nationstate actors doing wherein it matters that Cloudflare's DNS requests leak my IP address, as the only scenario I can come up with where that matters is a hypothetical attacker that specifically is monitoring Cloudflare's egress (which frankly sounds relatively difficult due to scale) but not the website's ingress (which for a website of interest seems absolutely trivial) nor the user's egress (such as many countries now seem to do routinely), either of which trivially out the user's address and intent due to the browser making a direct socket connection to the result of the DNS query.