Hacker News new | past | comments | ask | show | jobs | submit login
[flagged] Cloudflare DNS (1.1.1.1) Apparently Blocking Archive.is
88 points by ikeboy 2 hours ago | hide | past | web | favorite | 67 comments
I noticed I couldn't connect to archive.is, eventually I figured out it was an issue with cloudflare DNS, 1.1.1.1. Checking nslookup confirms this:

nslookup archive.is 1.1.1.1 Server: 1.1.1.1 Address: 1.1.1.1#53

Non-authoritative answer: Name: archive.is Address: 127.0.0.4

nslookup archive.is 8.8.8.8 Server: 8.8.8.8 Address: 8.8.8.8#53

Non-authoritative answer: Name: archive.is Address: 94.16.117.236

Cloudflare is returning a localhost address which prevents you from accessing the website.






We don’t block archive.is or any other domain via 1.1.1.1. Doing so, we believe, would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service.

Archive.is’s authoritative DNS servers return bad results to 1.1.1.1 when we query them. I’ve proposed we just fix it on our end but our team, quite rightly, said that too would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service.

The archive.is owner has explained that he returns bad results to us because we don’t pass along the EDNS subnet information. This information leaks information about a requester’s IP and, in turn, sacrifices the privacy of users. This is especially problematic as we work to encrypt more DNS traffic since the request from Resolver to Authoritative DNS is typically unencrypted. We’re aware of real world examples where nationstate actors have monitored EDNS subnet information to track individuals, which was part of the motivation for the privacy and security policies of 1.1.1.1.

EDNS IP subsets can be used to better geolocate responses for services that use DNS-based load balancing. However, 1.1.1.1 is delivered across Cloudflare’s entire network that today spans 180 cities. We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results. For a relatively small operator like archive.is, there would be no loss in geo load balancing fidelity relying on the location of the Cloudflare PoP in lieu of EDNS IP subnets.

We are working with the small number of networks with a higher network/ISP density than Cloudflare (e.g., Netflix, Facebook, Google/YouTube) to come up with an EDNS IP Subnet alternative that gets them the information they need for geolocation targeting without risking user privacy and security. Those conversations have been productive and are ongoing. If archive.is has suggestions along these lines, we’d be happy to consider them.

reply


Honestly, Cloudflare choosing not to hastily slap a band-aid on a problem like this just makes me feel more compelled to continue using 1.1.1.1.

I hesitate to compare this to Apple calling themselves “courageous” when removing the headphone jack, but in this case, I think the word is appropriate. I’ll happily stand behind you guys if you take some PR hits while forcing the rest of the industry to make DNS safer – since it is understandable, admittedly, for users to conclude that “Cloudflare is blocking websites, sound the alarms!” at first glance.

reply


Say you remove/don't proxy the ECS information, and I get some generic, non-geo-location aware response back. In the majority of cases, wouldn't my next step be to open a TCP connection to the IP in the response, and immediately leak my full IP address to the other end? While I get (and appreciate!) the concern for the user's privacy, I'm having a hard time seeing what practical effect not proxying the subnet the user is on has?

(This is not meant to suggest that archive.is's DNS response is appropriate, or that CF's setup is inappropriate.)

(Just to check my understanding of ECS: it's an extension to DNS that sends the user's subject in the request, and gets relayed with the request, s.t. an authoritative server can respond with a geo-location appropriate response/IP.)

reply


An example of something that Cloudflare's approach provides some protection from: http://dnscookie.com/

reply


Thank you for your comment.

Since HTTPS traffic already reveals communicating IPs to nation-state actors, could you clarify what attack vector removing user IP info from authoritative DNS queries protects against?

In what way does Cloudflare publish its PoP geolocation? Is it a Cloudflare-specific API? Why not fake EDNS subnet info by providing the PoP’s?

I notice of course that Google, Facebook, and Netflix still work on 1.1.1.1. Does this mean they’re currently using Cloudflare PoP geolocation in lieu of EDNS subnet information?

reply


Thanks for the detailed response! I think your team is handling this the right way.

reply


@eastdakota what about just failing without response on archive.is calls so the second resolver address configured in the client will be used? I understand this is also a DNS integrity violation, however the result for the end user would be either the same if they don’t have a second resolver configured or enhanced if they do.

The current effect is I stop using 1.1.1.1 when I need archive.is (often) and set it back the next time I’m messing with my network settings.

reply


DNS either has integrity or it doesn’t. We get a response from an Authoritative server and, as a Resolver, we believe our responsibility is to return it. If we start making exceptions because of bad PR, how can you trust us to do the right thing when the stakes are even higher (e.g., nationstate pressure)?

As an aside, I used to think that when Emerson said that “a foolish consistency is the hobgoblin of little minds” he meant that we were foolish to try and be consistent. Increasingly I wonder if instead he meant that when you’re trying to reason with people who may not have the same detailed knowledge of a problem as you, there’s an enhanced importance to being consistent. Unfortunately, most policy makers globally don’t have a detailed understanding of how technical systems like DNS work, so we think it’s especially important we be consistent.

reply


Why not just send the subnet of the machine at cloudflare doing the querying?

reply


The full IP of the Cloudflare resolver doing the recursive resolution is already provided to the authoritative server, as the source IP for the DNS query traffic.

reply


I think the parent is saying, why not spoof the EDNS client subnet information?

reply


Could you use your own subnet in the EDNS that matches client's country or could you let user configure what data would be shared?

reply


Are there any other known sites that don't work with 1.1.1.1 but work fine on other resolvers?

reply


Typically, if you experience that, it’s because DNSSEC fails. 1.1.1.1 enforces DNSSEC. As does 8.8.8.8 in most, but not all, cases. Many other DNS resolvers do not enforce DNSSEC. Archive.is (and its directly affiliated sites) are the only exception like this I am aware of. And, to be clear, as a policy the 1.1.1.1 DNS does not block any sites from resolution.

reply


I (random HN user) happen to know of lancaster.ac.uk (there was a comment thread a while back where this was mentioned).

reply


This is a problem of the 1^4 resolver not implementing DNAME support (either not a priority, or just in the backlog): https://community.cloudflare.com/t/www-lancaster-ac-uk-not-r...

reply


Ongoing work with big companies to replace existing technologies don't convince me. Though, neither does whining when the authoritative nameserver itself is returning bogus responses.

reply


The problem is the archive.is (and other TLDs) server not returning any Good IP if the EDNS client subnet isn't present.

Would like to point out that Cloudflare's resolver is EDNS compliant, it just doesn't send the client subnet.

See: https://twitter.com/archiveis/status/1018691421182791680 (picture of tweet https://aws1.discourse-cdn.com/cloudflare/optimized/3X/8/2/8... )

Based on that tweet, the owner has a personal grudge against Cloudflare and is choosing to return bad results.

reply


I take back every bad thing I have ever said about mailing lists - at least it was easier to follow the drama than these damn twitter links.

reply


Text of tweet by @archiveis:

"Having to do" is not so direct here. Absence of EDNS and massive mismatch (not only on AS/Country, but even on the continent level) of where DNS and related HTTP requests come from causes so many troubles so I consider EDNS-less requests from Cloudflare as invalid.

reply


For additional context, here is the Cloudflare explanation about EDNS client subnets:

> EDNS Client Subnet > >1.1.1.1 is a privacy centric resolver so it does not send any client IP information and does not send the EDNS Client Subnet Header to authoritative servers.

Cloudflare's requests are of course perfectly valid, with @archiveis actively deciding not to service them.

reply


It has nothing to do with privacy, as the next thing following DNS resolution is establishing a TCP connection which always leaks full IP address to the same person or organization controlling authoritative servers. Basically EDNS is just a convenient way for DNS-based CDNs to provide a better edge node. But this is directly competing with Cloudflare, so Cloudflare invents excuses not to implement something that helps other CDNs.

reply


See the CEO's comment: https://news.ycombinator.com/item?id=19828702

> We’re aware of real world examples where nationstate actors have monitored EDNS subnet information to track individuals, which was part of the motivation for the privacy and security policies of 1.1.1.1.

So it's not just "Cloudflare benefits from pushing anycast" (even if that's part of it).

reply


So, what he claims is that state actors monitor traffic at certain locations, extract subnet information from DNS packets that only large centralized DNS resolvers include when query some authoritative servers that where probed to support that feature. That subnet is not a subnet of an end user IP address, but an IP address of a recursive resolver of that user's ISP. They have to correlate that information with a connection made from that ISP to a web server to track the user. What 1.1.1.1 brings here? State actors now can correlate an actual IP address sending data to 1.1.1.1, with a clear text DNS query going out of it, making tracking more reliable and simple and worse for privacy. And still worse for other CDNs.

Don't take Cloudflare's PR seriously, they are completely full of it. They used to be more honest, but those days are long gone.


That's not true.

Many setups proxy everything but dns traffic.

That's why this topic is a thing.

https://trac.torproject.org/projects/tor/wiki/doc/Preventing...

reply


The fallback should be to do GeoDNS based on the resolver's IP. In case of Cloudflare that's certainly good enough, since they've got 150+ POPs.

reply


Furthermore let's see this report:

https://ednscomp.isc.org/ednscomp/6ed2aca587

EDNS Compliance Tester says that archive.is has some issues.

https://dnsflagday.net

> Minor problems detected! > This domain does not support latest DNS standards.

reply


Could they send "generic" subnet or even better could they let user choose the subnet?

reply


For those curious about what is going on here...

Cloudflare has decided for privacy reasons they will not relay eDNS0 client subnet data - which yes, can reveal a portion of the IP of the requestor - but is used by CDN services in order to provide nearest servers or (in some cases) country specific content.

My guess here is archive.is feels they have some need to restrict what content is provided to where in the world, and as a result, without ECS in the request, takes you to a cname which essentially null routes you back to your local loop interface.

Source: Founder of DNSFilter.com - we support ECS, I coded it.

reply


>My guess here is archive.is feels they have some need to restrict what content is provided to where in the world

Couldn't that be done later, by blocking the actual HTTP TCP connections instead of blocking the DNS requests? Maybe it's an efficiency issue, that they want the higher-efficiency blocking by DNS rather than lower-efficiency blocking during HTTP TCP, but that seems a little strange to me.

reply


This has been a known issue for a while.

Unfortunately, Archive.is has to fix it from their nameservers and we cannot do anything from our side. You can ready more about it here: https://community.cloudflare.com/t/archive-is-error-1001/182...

Disclaimer: I work at Cloudflare

reply


I remember reading this a while back. It sounded more that archive.is was blocking Cloudflare (or at least not supporting it): https://community.cloudflare.com/t/archive-is-error-1001/182...

reply


Does anyone know why archive.is would block Cloudflare? Is it a technical issue, or does the owner of archive.is have some kind of grudge against them?

reply


Hard to tell from the outside, but archive.is did blacklist the whole of Finland a while back - due to personal grudge.

reply


Looks like it's a known issue https://community.cloudflare.com/t/archive-is-error-1001/182..., yet not been fixed for at least a year

reply


In response to that "unfixed" issue, they noted - in a timely manner, last year - that archive.is is returning bad IPs to them, which is preventing them from serving good IPs:

https://community.cloudflare.com/t/archive-is-error-1001/182...

> Nameservers responsible for archive.is (ben.archive.is, anna.archive.is) are returning answers tailored to the IP address of the requestor.

And indicate that anyone who knows how to contact archive.is can ask them to resolve the issue:

> If you have a contact on the domain owner, you can ask them to fix this.

EDIT: This is knowingly blocked by archive.is. Reasoning and discussion elsewhere in post comments. No need to contact archive.is about it, they’re clearly aware.

reply


Just like we consider it the kernel's fault if user applications break due to a change, I think it's the DNS resolver's fault if they're using a protocol that some popular sites don't support.

As soon as I realized they were causing this issue I just switched away. Other DNS providers don't have this issue.

reply


It doesn’t really seem to be the resolvers “using a protocol that [archive.is] doesn’t support”; it seems that archive.is responds to queries from Cloudflare’s systems with an incorrect response. How is Cloudflare meant to work around that kind of behavior?

reply


>"it seems that archive.is responds to queries from Cloudflare’s systems with an incorrect response."

What makes the response incorrect? I was under the impression that DNS implementations were under no "practical" obligation to return consistent queries to differing requester IP addresses (hence stuff like split-horizon DNS and EDNS: https://developers.google.com/speed/public-dns/docs/ecs )

reply


Sorry, to clarify: when archive.is receives a DNS lookup from Cloudflare’s resolvers, they reply with an IP in the 127.0.0.0/8 range, so the origin client is unable to connect (since those IPs aren’t routable over the internet).

reply


Thanks for the clarification on here + and the other posts, that makes perfect sense.

reply


https://twitter.com/archiveis/status/999788186904576002 claims that cloudflare isn't supporting a protocol that would enable it to work with their servers.

reply


That’s not an accurate read of archive.is’s behavior. EDNS is an optional feature.

archive.is has configured their nameservers to return invalid (127.0.0.0/8, from the looks of it) responses to Cloudflare requests because they’re protesting Cloudflare’s lack of EDNS, not because EDNS is somehow required to handle the requests.

For context: EDNS sends the origin IP address of the DNS client through the resolver. Cloudflare has it disabled because of the privacy implications of sending it along.

reply


The right thing for cloudflare to do then is fake the EDNS field so that they get a valid response.

Maybe cloudflare doesn't want to code an ad-hoc solution just to fix one site. But that doesn't matter to the customer, who just wants it to work.

reply


This diverges pretty hard from your earlier comparison, between this scenario and the Linux kernel breaking userspace.

If a dev updates their code so it won’t run unless an kernel flag is enabled, the kernel hasn’t broken userspace, and kernel devs are unlikely to add a “fake-enabled-flag” to trick the userspace program, even if it’s popular.

Likewise, I don’t expect my DNS resolver to add in custom behavior if upstream DNS servers make breaking changes like this. In fact, I very much prefer the opposite: my DNS service should be as dumb as possible. I don’t want it making choices about how to modify DNS queries I do, or their results.

If an upstream site broke their DNSSEC config, would you lobby for Cloudflare to modify the results so resolution succeeded for their users?

reply


Besides, my reading is:

Every other resolver supports EDNS

Archive.is only works with resolvers that support EDNS

Cloudflare decided not to support EDNS

That itself is a defendable decision but I do feel for a popular site they could implement some sort of fix.

reply


Notably, Level3 and Hurricane Electric both appear to not use ECS, and archive.is resolves properly from those. Which seems to clarify that this isn’t a technical requirement for archive.is to work, it’s an intentional protest by the archive.is operators against Cloudflare.

reply


Cloudflare does support EDNS. They just don't forward the client's subnet due to being privacy-oriented, doing which is optional and perfectly valid.

reply 


    dig @carl.archive.is archive.is A +noedns
responds 134.119.220.26

    curl http://134.119.220.26 -H 'Host: archive.is' -v
responds with HTML of the site.

I'm not a dig expert, but I believe this means it works without EDNS. I think that means archive.is is specifically blocking Cloudflare's servers, not blocking all non-EDNS requests.

reply


If every other resolver works, then I expect Cloudflare to work.

The kernel hardcodes plenty of hacky things to get specific hardware to work.

reply


Archive.is does not appear to specify in detail what operational issues result from the missing client subnet EDNS data. We can speculate, though. Is it for data harvesting purposes, or for global load balancing concerns? Are users complaining due to some unknown side effect? Are localized in-country-firewall servers receiving traffic from out-country clients?

reply


Cloudflare DNS does not support EDNS Client Subnet[1], so archive.is returns invalid IP address for Cloudflare IPs[2]

[1] https://developers.cloudflare.com/1.1.1.1/nitty-gritty-detai...

[2] https://twitter.com/archiveis/status/1018691421182791680

reply


Previous discussion here: https://news.ycombinator.com/item?id=17742457

reply


Cloudflare returns a proper response for me.

  nslookup archive.is 1.1.1.1
  Server:  1.1.1.1
  Address: 1.1.1.1#53

  Non-authoritative answer:
  Name: archive.is
  Address: 134.119.220.26

reply 


    dig @1.1.1.1 archive.is
    
    ; <<>> DiG 9.14.1 <<>> @1.1.1.1 archive.is
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46862
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0,     ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 1452
    ;; QUESTION SECTION:
    ;archive.is.                    IN      A

    ;; ANSWER SECTION:
    archive.is.             2998    IN      A       127.0.0.4

    ;; Query time: 52 msec
    ;; SERVER: 1.1.1.1#53(1.1.1.1)
    ;; WHEN: Sat May 04 21:03:36 CEST 2019
    ;; MSG SIZE  rcvd: 55

    dig @8.8.8.8 archive.is

    ; <<>> DiG 9.14.1 <<>> @8.8.8.8 archive.is
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5893
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0,     ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; QUESTION SECTION:
    ;archive.is.                    IN      A

    ;; ANSWER SECTION:
    archive.is.             299     IN      A       94.16.117.236

    ;; Query time: 79 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Sat May 04 21:04:28 CEST 2019
    ;; MSG SIZE  rcvd: 55

reply


It's possible your ISP is intercepting all traffic for port 53 and sending it to their own nameservers (which do send client subset) instead of you actually taking to cloudflare's 1.1.1.1 at all.

reply


Links for documented instances of this practice?

reply


I don't know of any particular popular concrete instance, but why is it hard to believe? It's trivial to implement and would be brought to you by the same people who think serving ads for NXDOMAIN is a good idea.

https://www.dnsleaktest.com/what-is-transparent-dns-proxy.ht...

reply


That link was useful, thank you. I don't find it hard to believe technically, but it strikes me as a fundamentally different practice than what I'd head of before. If I request for traffic to go to a certain IP, I expect it to be sent to that IP. MITMing and manipulating that traffic is bad, but not delivering it at all is qualitatively different. I suspect it could be grounds for a serious civil or criminal action.

reply


https://labs.ripe.net/Members/babak_farrokhi/operator-level-...

reply


Not for me:

    Server:  1.1.1.1
    Address: 1.1.1.1#53

    Non-authoritative answer:
    Name: archive.is
    Address: 127.0.0.4

reply


I tried Cloudflare's DNS for a week or so and noticed lots of sites that were blocked. I ended up creating my own DNS server that I run on a VPS.

reply


In Firefox I'm using DNS over HTTPS ( https://mozilla.cloudflare-dns.com/dns-query ) and there is no issue accessing archive.is. Actually I wanted to query archive.is manually but I don't know how to do it in DoH.

reply


https://developers.cloudflare.com/1.1.1.1/nitty-gritty-detai...

>EDNS Client Subnet

>1.1.1.1 is a privacy centric resolver so it does not send any client IP information and does not send the EDNS Client Subnet Header to authoritative servers.

What does this mean?

reply


https://tools.ietf.org/html/rfc7871

reply


[flagged]


...you know that Cloudflare terminated their service, right?

https://blog.cloudflare.com/why-we-terminated-daily-stormer/

reply


And even if they hadn't, how would that make them "Nazi-friendly"? I've always supposed Cloudflare is meant to be neutral. They only kicked out DS because they were stupid enough to pretend CF was endorsing them.

And well, in any case this is unrelated to this thread...

reply




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: