tl;dr: No. Quite the opposite, actually — Archive.is’s owner is intentionally blocking 1.1.1.1 users.

CloudFlare’s CEO had this to say on HackerNews:

We don’t block archive.is or any other domain via 1.1.1.1. […] Archive.is’s authoritative DNS servers return bad results to 1.1.1.1 when we query them. I’ve proposed we just fix it on our end but our team, quite rightly, said that too would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service. […] The archive.is owner has explained that he returns bad results to us because we don’t pass along the EDNS subnet information. This information leaks information about a requester’s IP and, in turn, sacrifices the privacy of users.

I am mainly making this post so that admins/moderators at BeeHaw will consider using archive.org or ghostarchive.org links instead of archive.today links.

Because anyone using CloudFlare’s DNS for privacy is being denied access to archive.today links.

https://ghostarchive.org/archive/PmSkp

  • jarfil@beehaw.org
    link
    fedilink
    arrow-up
    5
    ·
    edit-2
    1 year ago

    actively scrapes articles from behind paywalls, using a bank of credentials it has […] more like sci-hub

    I see… not sure I approve, but I see.

    use a VPN

    That’s precisely one of the issues with EDNS, already described 10 years ago:

    • DNS leaks when using a VPN
    • DNS Cache timing attacks
    • Network scanning
    • DDoS amplification
    • Cache pollution

    (https://00f.net/2013/08/07/edns-client-subnet/)

    From the CEO’s reply on YC:

    We’re aware of real world examples where nationstate actors have monitored EDNS subnet information to track individuals, which was part of the motivation for the privacy and security policies of 1.1.1.1.

    (https://news.ycombinator.com/item?id=19828702)

    Seems like dropping the originating address is a reasonable action on their part.

    Only thing they could possibly do, would be to replace the originating address with the address of the particular DNS resolver in their network, which they said they had 180 of… but that would still reveal your geographic area in case of a VPN leak.

    On the other hand, if you don’t care about any of that, why not use Google’s 4.4.4.4?

    • Pleonasm@programming.dev
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      The reason I’m saying use a VPN is because you’re presumably visiting the site anyway, so leaking your full IP to them anyway. You can route your DNS lookups through what server you like, obviously. (Again, the privacy issue would be not that you’re leaking part of your IP to archive.is, but to everyone in the chain of recursive DNS resolvers). You could use TOR too, I think even in this thread someone posted a TOR url for it.

      Cloudflare do make the DNS queries from 1 of their 180 locations, so there is some information being passed through about where the request is coming from in terms of load balancing.

      I’m not arguing that Cloudflare are doing the wrong thing by omitting ECS data in general. Just that site owners have a right to do as they like WRT people using their website and if that includes blocking Cloudflare, so be it. What he is doing is not legal (or at least grey area) in many countries so anything that makes his life easier is understandable IMO.

      Also, ECS leaking does not seem like a real concern for the vast majority of people surfing the net.

      Lastly I don’t think Google own 4.4.4.4, did you mean 8.8.4.4?

      • jarfil@beehaw.org
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        I know what you meant with the VPN. Just saying that CloudFlare is using the VPN leakage case to justify not supporting ECS. As for the rest of the problems, DNS servers that suport ECS, hopefully have already implemented countermeasures.

        Indeed Archive.is is free to block whoever he wants… he’s just using a weird argument, particularly when there is an onion address for it, which is kind of the opposite of a CDN… or I don’t understand his side completely. It feels to me like both sides are sticking to their stances, when either or both could fix the issue without much of a problem.

        I don’t think Google own 4.4.4.4, did you mean 8.8.4.4?

        Damn. Yeah, I meant 8.8.8.8 and 8.8.4.4. Brain fart.

          • jarfil@beehaw.org
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            1 year ago

            DNS server returns not the closest IP to the request origin but the closest IP abroad, so any takedown procedure would require bureaucratic procedures so I am getting notified notified and have time to react.

            Oh, so he’s not using a CDN, but a sort of “anti”-CDN.

            attacks where people upload illegal content

            I offered them to proxy those CloudFlare DNS’s users via their CDN but they rejected.

            Wonder why 😆

            Yes, that holds up to scrutiny pretty well.

            After “I’ve proposed we just fix it on our end …” all requests for 7 archive.* domains are sent from Symantec USA IP

            …and that’s a dick move on part of CloudFlare.