tl;dr: No. Quite the opposite, actually — Archive.is’s owner is intentionally blocking 1.1.1.1 users.
CloudFlare’s CEO had this to say on HackerNews:
We don’t block archive.is or any other domain via 1.1.1.1. […] Archive.is’s authoritative DNS servers return bad results to 1.1.1.1 when we query them. I’ve proposed we just fix it on our end but our team, quite rightly, said that too would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service. […] The archive.is owner has explained that he returns bad results to us because we don’t pass along the EDNS subnet information. This information leaks information about a requester’s IP and, in turn, sacrifices the privacy of users.
I am mainly making this post so that admins/moderators at BeeHaw will consider using archive.org or ghostarchive.org links instead of archive.today links.
Because anyone using CloudFlare’s DNS for privacy is being denied access to archive.today links.
Archive.is used to block people with Finnish IPs too, allegedly because of personal immigration issues.
I don’t get the impression it’s something anyone should ever rely on.
This was driving me crazy… at least I know why now.
That’s really weird explanation on part of CF CEO, as just after DNS request you usually connect to the site which address you requested and site gets a lot more details including full IP address anyway.
https://news.ycombinator.com/item?id=19828702
Here’s the full comment on HackerNews, the article quoting him only had the snippet. The larger comment makes more sense. Emphasis mine.
We don’t block archive.is or any other domain via 1.1.1.1. Doing so, we believe, would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service.
Archive.is’s authoritative DNS servers return bad results to 1.1.1.1 when we query them. I’ve proposed we just fix it on our end but our team, quite rightly, said that too would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service.
The archive.is owner has explained that he returns bad results to us because we don’t pass along the EDNS subnet information. This information leaks information about a requester’s IP and, in turn, sacrifices the privacy of users. This is especially problematic as we work to encrypt more DNS traffic since the request from Resolver to Authoritative DNS is typically unencrypted. We’re aware of real world examples where nationstate actors have monitored EDNS subnet information to track individuals, which was part of the motivation for the privacy and security policies of 1.1.1.1.
EDNS IP subsets can be used to better geolocate responses for services that use DNS-based load balancing. However, 1.1.1.1 is delivered across Cloudflare’s entire network that today spans 180 cities. We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results. For a relatively small operator like archive.is, there would be no loss in geo load balancing fidelity relying on the location of the Cloudflare PoP in lieu of EDNS IP subnets.
We are working with the small number of networks with a higher network/ISP density than Cloudflare (e.g., Netflix, Facebook, Google/YouTube) to come up with an EDNS IP Subnet alternative that gets them the information they need for geolocation targeting without risking user privacy and security. Those conversations have been productive and are ongoing. If archive.is has suggestions along these lines, we’d be happy to consider them.
So it’s really more about metadata related to the IP, like geolocation.
Interesting, thanks
This is all disappointing, to say the least, but I’m convinced. I won’t be using archive.today anymore.
We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results.
Couldn’t they just put that as the EDNS?
A DNS query is not inherently followed by a connection to the server.
It almost always is.
And the 5% of the time it isn’t, is what is being talked about here.
And? My DNS provider shouldn’t be leaking my information even if I immediately use the info they gave me to connect to the site.
Test your DNS with some benchmark. I have learned this the hardway, when I swapped to for more private quad9 my internet became sometimes borderline unusable. If you are for some reason on windows you can use this one. For me openDNS was consistently the fastest to respond.
Thanks for sharing! The last time I picked nameservers was quite a while ago and I just went with fastest ping times :p
OpenDNS turned out to be the fastest for me.
Nice tool! Thanks.
Honestly I am sick and tired of people being shit, nearly every week we find out that someone that used to be respected and appreciated is actually a shit person, and it’s exhausting,
Good. Hopefully this will discourage people from using Clownflare’s DNS.
Clownflare’s DNS.
Such a strong argument for why people shouldn’t. /s
… did you read the same article the rest of us did?
As opposed to… ?
I genuinely couldn’t find a better option when I looked.
Wondering the same thing. CloudFlare DNS is so freaking fast.
But at the same time I didn’t think of the privacy aspect so I want out. Is OpenDNS still good? How’s the speed?
It’s frustrating when people do that because there’s definitely valid critiques of CloudFlare, but that other guy calling them Clownflare and then not coming back to explain why is pretty juvenile and unhelpful (luckily another user came with a more realistic critique). Like, if it’s so bad, please offer alternatives and reasoning. I’m glad you liked Quad9 that I referenced elsewhere in the thread.
When did I call it “ClownFlare”? Did you reply to the right person?
Nope, I meant to reply to you, but apparently didn’t make it clear to you that I was actually referring to the person above the person you were responding to. I changed the wording to reflect this a little bit. I’m sorry for the confusion, that’s my bad. You’re swell and have been. The other fella came and was rude about CloudFlare and didn’t offer reasons or alternatives. Once again, sorry.
redditbrains
