Hacker News new | ask | show | jobs
by snthd 210 days ago
Archive.is have previously blocked cloudflare DNS because it was anonymizing requests. It could be either.

https://news.ycombinator.com/item?id=19828317

>The archive.is owner has explained that he returns bad results to us because we don’t pass along the EDNS subnet information. This information leaks information about a requester’s IP and, in turn, sacrifices the privacy of users.
2 comments
ndiddy 210 days ago
Someone asked the archive.is owner why he does this in the past. It's because of similar situations to this one where someone who wants to get archive.is taken down uploads illegal content, requests archive.is to save it, and immediately reports archive.is to their country's legal authorities. His solution to this is using the EDNS information to serve requests from the closest IP abroad, so any takedown procedure requires international cooperation and therefore enough bureaucratic overhead that he gets notified and has time to take the content down. https://news.ycombinator.com/item?id=36971650

I also find the "we don't want to leak a requester's IP" explanation for blocking EDNS to be suspect. The way DNS works is that you ask for the IP address for a domain name, you get the IP, and then you connect to it. With Cloudflare's DNS, the server doesn't know your IP when you do the DNS lookup, but that doesn't matter because you're connecting to the server anyway so they'll still get your IP. Even if you're worried about other people sniffing network traffic, the hostname you're visiting still gets revealed in plaintext during the SNI handshake. What Cloudflare blocking EDNS does do is make it much harder for competing CDNs to efficiently serve content using DNS based routing. They have to use Anycast instead, which has a higher barrier to entry.

link
chrneu 210 days ago
Cloudflare tends to default to "It's for the security of our users" when it often times isn't.
link
NoahZuniga 210 days ago
> Even if you're worried about other people sniffing network traffic, the hostname you're visiting still gets revealed in plaintext during the SNI handshake

Many sites now support Encypted Client Hello. This makes it possible to send the hostname after the connection has been encrypted. This is enabled by default on cloudflare hosted domains (when cloudflare also manages DNS).

link
pabs3 209 days ago
There was a report some years ago that found the IP address being connected to is often enough to identify the website being visited, even when using a CDN. I think you have to go to VPNs at a minimum, or Tor preferably. Tor doesn't help with correlation attacks from global passive/active adversaries though, or even folks with access to a lot of netflow data.
link
Buge 210 days ago
Here's my speculation on the underlying reason archive.today blocks Cloudflare DNS: https://webapps.stackexchange.com/a/135229/229725

I speculate it's due to archive.today wanting granular (not overly broad) legal censorship compliance. Which is somewhat related to this post.

link