1.1.1.2 is their malware-blocking DNS, and 1.1.1.3 is their parental-controls DNS. If you want an unfiltered DNS, use 1.1.1.1 - which resolves archive.today just fine, although archive.today itself refuses to work on Cloudlfare DNS.
I'm just curious, given all the other options that respect your privacy and don't put data collection at the center of their business model, why do you use Cloudflare on your pi-hole?
Because "if it ain't broke, don't fix it." i'm not one of those users who want to endlessly tweak their ad blocker. i want to set it up, clicking as few checkboxes as necessary to get it going, and then leave it. However, (now) knowing that Cloudflare filters different only each of their servers, i'm incentivized to go tweak a number in the config (as opposed to researching the pros and cons of every possible provider, a detail i truly have no interest in pursuing).
I use unbound (recursive resolver), and AdGuard Home as well (just forwards to unbound). Unbound could do ad-blocking itself as well, but it's more cumbersome than in AGH. So I use two tools for the time being.
The upside is there's no single entity receiving all your queries. The downside is there's no encryption (IIRC root servers do not support it), so your ISP sees your queries (but they don't receive them).
what is the vector here? dns traffic is practically anonymous, there would have to be some very specific and purposeful trickery going on to link dns traffic to an identity. It sounds like something more hypothetical than a tangible threat model
It isn't anonymous. DNS server resolve, IP addresses by hostnames. It cannot then inspect further traffic but it certainly can log your IP address and all URL's a given IP ever hit.
Since ISP know your identity, and all it takes is to (request and get) the DNS logs and ISP servitude for all sort of questionable information, you as an identity are giving away all sites domains you visit.
> It cannot then inspect further traffic but it certainly can log your IP address and all URL's a given IP ever hit.
Correction: they can log host names/IPs, not URLs. The path of any given URL is part of the HTTP header, invisible to onlookers (assuming HTTP and assuming HTTPS is uncracked).
Considering that the DNS in question is third-party, that is, it's independent from the ISP. Then the DNS and the ISP will not share data with each other on a routine basis, which would make this concern negligible for every day traffic.
So to simplify, the DNS provider has a map of IPs to Domains visited, while the other hand an ISP has a map of IP addresses to identities.
To even cross-reference the data, the ISP and the DNS provider would need to partner, and violate their privacy guarantees.
At the very least it's obvious that using a separate DNS provider than your ISP's provides additional anonimity by decentralizing your traffic. Although this comes with a tradeoff, having 2 providers increases the odds of partial leaks.
This analysis is so overkill for your personal traffic that it borders tinfoil territory, if we are in a professional setting and are discussing the competitive data of a company or that of thousands of users, then this level of scrutiny is merited, but as-is, separating your DNS provider from your ISP is already very marginal and a bit paranoid. Evaluating the DNS providers to such an extent that a huge security company with good legal standing would somehow qualify as unsafe, for the traffic of one user, I stress, is paralyzingly over-engineering the security of an infrastructure that has already been secured such that users don't need to know what a DNS and how to configure it in order to have safe and private internet.
Imagine going to the bank and asking the teller for a withdrawal but not disclosing the amount and coming up with a mechanism to withdraw without anyone from the bank knowing what you withdrew. Sure, it increases your security, but also come on, what are we doing here?
if you think a little creatively about how this information could be used by an organization that was created at the insistence of the United States Department of Homeland Security, then you're on the right track.
This is a silly conspiracy theory: the ray ID references the specific CDN edge server which processed your request.
Even the request ID is not what you’re implying: that’s unique for a single request, but it’s not public and anyone who has your HTTPS payload has equivalent tracking capabilities.
I did some experimenting recently and I'm quite convinced that when I use Comcasts DNS they are selling it to advertisers. I've switched to 1.1.1.1 simply because it annoys me that Comcast is doing this.
I use cloudflare DNS because it’s faster. But should I worry, having read your comment? What is the downside to using it? What would you recommend instead?
Many years ago I used Cloudflare, and more than once I had issues with them blocking websites I wanted to access.
I absolutely despise that. I want my DNS to resolve domain names, nothing else.
For blocking things I have Pi-Hole, which is under my control for that reason. I can blacklist or whitelist addresses to my needs, not to the whims of a corporation that wants to play gatekeeper to what I can browse.
I don't use the public resolvers but here [1] is a script that will show which of those public resolvers is fastest from your location. Add or remove resolvers as you desire. Be sure to scroll down to see a few of the sorting examples. Not my script or repo.
Just as a side note: Something I have done with this in the past as a fun experiment was to set up an Unbound DoT server on assorted VPS nodes in assorted locations around the country, run this script and configure each Unbound to use the 5 to 10 fastest servers on each node and cache results longer. Then I used Tinc (open source VPN) to connect to these VPS nodes from my home's Unbound and distribute the requests among all of them. I save query logs from all of them and use cron to look up all my queries hourly to keep the cache fresh and mess up any analytic patterns for my queries. Just a fun experiment. 99.99% of the time I just query the root DNS servers for what NS servers are authoritative for a given domain or what I call bare-backing the internet.
The "censored" part of archive.today seems unrelated to the filtering itself. 1.1.1.3 flags Pornhub.com as "EDE(17): Filtered" but archive.today is "EDE(16): Censored".