[cmeacham98]

As neutrally as possible:

Cloudflare doesn't support the DNS Extension that sends part of clients' IPs to the upstream resolver (https://en.m.wikipedia.org/wiki/EDNS_Client_Subnet). Cloudflare believes this is better for privacy.

Archive.is doesn't like this (because it prevents DNS-based CDN routing), and thus has a hardcoded exception to intentionally return bogus results to Cloudflare's resolvers.

[542458]

I think it's also worth noting that Cloudflare's implementation is EDNS compliant. The EDNS extension for sending the client subnet is explicitly optional in the standard.

[silotis]

Cloudflare's lack of EDNS doesn't prevent DNS based routing. It can still be done based on the DNS request's source address. This will be the IP of the Cloudflare POP closest to the client.

Lack of EDNS only makes DNS based routing slightly worse if your CDN has a POP density similar-or-greater-than Cloudflare's.

[Scaevolus]

Correct. Cloudflare's POP routing is quite extensive, and I'd be shocked if archive.is had more than a handful of backends it's routing to.

Even so, why would an extra few dozen ms matter at all? Archive.is appears to be spindle-limited, is a client with marginally higher RTT an issue? The admin is silly.

https://www.cloudflare.com/network/

[jrochkind1]

It seems so silly and mysterious that it makes me wonder if archive.today wants exact client IP addresses for some other unstated reason. (It's not clear how/if archive.today, a possibly illegal site, brings in revenue?).

The whole thing is very odd.

[depr]

There is another reason but it is stated here: https://news.ycombinator.com/item?id=36971650 (routing people to the nearest server _outside_ their own country).

[arkadiyt]

> it makes me wonder if archive.today wants exact client IP addresses for some other unstated reason

They still get the client ip from the request to the service itself (unless you're using a VPN, but if you're using a VPN then archive wouldn't get your ip from your DNS request either).

[mike_d]

Do you happen to have a mapping of Cloudflare IP space to physical POPs?

To the best of my knowledge they do not publish this, which makes it quite a chore to track all their edge locations manually.

[Scaevolus]

You could probably take their network map SVG and convert the circle coordinates from integer Mercator projection points to lat/lon pairs, and then map them to cities.

[tomrod]

> thus has a hardcoded exception to intentionally return bogus results to Cloudflare's resolvers.

This is a bad practice.

[giancarlostoro]

why in the world are they doing that I wonder.

[wlonkly]

Explanation is here: https://news.ycombinator.com/item?id=36971650

[sccxy]

Personal hate against big tech companies?

[eli]

It prevents DNS-based CDN routing in the particular way Archive wants to do it.

[handsclean]

There are two missing facts here that change the story quite a bit:

- In addition to not supporting EDNS, Cloudflare sends DNS requests from effectively random PoPs, so the recipient doesn’t know even the visitor’s nationality.

- The reason archive.is doesn’t like this is it makes them vulnerable to DoS attack.

Source and details: https://news.ycombinator.com/item?id=36971650

[andrewla]

If I understand this correctly, that's hilarious -- Cloudflare is essentially saying that nobody can layer their own cloudflare-like offering on top of their DNS. Edge-routing is their bread and butter!

If you want to use the client's IP geolocation to resolve a CNAME to an edge server, this blocks you from doing so. You have to buy Cloudflare's products to get this benefit, and use their edge servers.

[NicoJuicy]

No, they don't, please read this before making unresearched guesses ( note: I had the same reaction at first a couple of years ago).

They forward every info that is required for cdn's to function, that's why no other cdn's are complaining.

See the statement of the CEO:

https://news.ycombinator.com/item?id=19828317

Tldr:

> We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results. For a relatively small operator like archive.is, there would be no loss in geo load balancing fidelity relying on the location of the Cloudflare PoP in lieu of EDNS IP subnets.

We are working with the small number of networks with a higher network/ISP density than Cloudflare (e.g., Netflix, Facebook, Google/YouTube) to come up with an EDNS IP Subnet alternative that gets them the information they need for geolocation targeting without risking user privacy and security.

[andrewla]

Thanks for the clarification and link!

I do think that this has the effect of locking customers into Cloudflare's geoip data, which seems a little sketchy. The operator of archive.is claims that the data itself is bad[1] but I can't speak to his biases or motivations.

If the data is incomplete or bad, then you gain an advantage by using Cloudflare's services over rolling your own or using a competitor if a large number of customers are using their DNS, so I think the original point does stand. And if you are a competitor, your ability to compete with greater edge capacity or more targeted edge capacity is nonexistent.

[1] https://twitter.com/archiveis/status/1018691421182791680

[NicoJuicy]

I would doubt the owner has a bigger network than cloudflare as their cdn.

If you're cdn is Azure, GCE, or AWS, than you're cdn is spread over the regions that their cloud offers. You still have no use-case to know more.

So, who? There isn't a provider atm in the world. So the issue at hand is currently not existent, as far as I'm aware.

[andrewla]

Let's say you have more fine-grained capacity in a given metro than Cloudflare has in an attempt to provide additional value in that metro than Cloudflare can offer. You are blocked from doing so if endusers are using Cloudflare DNS.

I don't know if this is happening at the moment, but it's pretty clear that there is no real incentive to even attempt this given that you simply will not be able to offer any benefits because you don't have the data.

[NicoJuicy]

Who would set up ( or use) a dns that is better in 1 metro in the world? Do you?

The example given doesn't make any sense.

You're just giving an ideological example. Not one that occurs in the real world.

Here is one that actually happens: Using cloudflare DNS to protect privacy is one that occurs in the real world and eg. Apple is using them for exactly that.

But let's repeat:

> We are working with the small number of networks with a higher network/ISP density than Cloudflare (e.g., Netflix, Facebook, Google/YouTube) to come up with an EDNS IP Subnet alternative that gets them the information they need for geolocation targeting without risking user privacy and security.

[pseg134]

Yeah, so cloudflare is making sure no one else can compete.

[NicoJuicy]

Didn't read the last alinea?

> We are working with the small number of networks with a higher network/ISP density than Cloudflare (e.g., Netflix, Facebook, Google/YouTube) to come up with an EDNS IP Subnet alternative that gets them the information they need for geolocation targeting without risking user privacy and security.

---

I don't know what happened between that statement and now. Since they were working together with eg. Google to solve it.

Still. No example? So not an issue now?