364:
proposed we just fix it on our end but our team, quite rightly, said that too would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service. The archive.is owner has explained that he returns bad results to us because we don't pass along the EDNS subnet information. This information leaks information about a requester's IP and, in turn, sacrifices the privacy of users. This is especially problematic as we work to encrypt more DNS traffic since the request from
Resolver to Authoritative DNS is typically unencrypted. We're aware of real world examples where nationstate actors have monitored EDNS subnet information to track individuals, which was part of the motivation for the privacy and security policies of 1.1.1.1. EDNS IP subsets can be used to better geolocate responses for services that use DNS-based load balancing. However, 1.1.1.1 is delivered across Cloudflare's entire network that today spans 180 cities. We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results. For a relatively small operator like archive.is, there would be no loss in geo load balancing fidelity relying on the location of the Cloudflare PoP in lieu of EDNS IP subnets. We are working with the small number of networks with a higher network/ISP density than Cloudflare (e.g., Netflix, Facebook, Google/YouTube) to come up with an EDNS IP Subnet alternative that gets them the information they need for geolocation targeting without risking user privacy and security. Those conversations have been productive and are ongoing. If archive.is has suggestions along these lines, we'd be happy to consider them.
382:
25:
148:
Because ECS provides client network information to the upstream authoritative DNS server, the extension reveals some information about the client's location that the authoritative DNS server would not otherwise be able to deduce. The same client network information also becomes available to transit
363:
We don't block archive.is or any other domain via 1.1.1.1. Doing so, we believe, would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service. Archive.is's authoritative DNS servers return bad results to 1.1.1.1 when we query them. I've
177:
not passing the contents of this field on to the authoritative DNS server for
Archive.today, and has in response configured the site's authoritative DNS servers to consider Cloudflare DNS requests invalid—effectively blocking 1.1.1.1 from resolving the website DNS records.
333:
Absence of EDNS and massive mismatch (not only on AS/Country, but even on the continent level) of where DNS and related HTTP requests come from causes so many troubles so I consider EDNS-less requests from
Cloudflare as
181:
The owner of the site believes 1.1.1.1 too often routes recursive DNS requests in a non-geographically-optimal way, causing poorer connectivity than if the feature was available at all times.
43:
149:
networks between the client's recursive and the domain's authoritative server. Security researchers have suggested that ECS could be used to conduct
419:
438:
300:
132:, hence the client makes further requests to a nearby CDN, thereby reducing latency. The EDNS client subnet mechanism is specified in
150:
61:
208:
233:
82:
412:
109:
to select a service address near the client when the client computer is not necessarily near the recursive resolver.
106:
102:
443:
405:
86:
381:
324:
121:
98:
94:
296:
227:
125:
288:
133:
247:
389:
188:
432:
320:
170:
166:
277:
154:
292:
287:. Lecture Notes in Computer Science. Vol. 9721. Springer. pp. 343–353.
347:
137:
113:
184:
129:
90:
116:
receives a DNS query, it takes advantage of ECS DNS extension to resolve the
101:
query. This is generally intended to help speed up the delivery of data from
117:
328:
174:
248:"EDNS Client Subnet (ECS) Guidelines | Public DNS | Google Developers"
157:
intended to only re-route specific clients to a poisoned DNS record.
276:
Kintis P, Nadji Y, Dagon D, Farrell M, Antonakakis M (June 2016).
285:
Detection of
Intrusions and Malware, and Vulnerability Assessment
191:
cited privacy concerns as reason for 1.1.1.1 to not support ECS.
18:
393:
39:
34:
may be too technical for most readers to understand
153:. ECS may also be exploited to perform selective
278:"Understanding the Privacy Implications of ECS"
413:
8:
271:
269:
267:
105:(CDNs), by allowing better use of DNS-based
314:
312:
420:
406:
348:"Comment by Matthew Prince on Hacker News"
215:. Archived from the original on 2018-03-28
62:Learn how and when to remove this message
46:, without removing the technical details.
200:
321:""Having to do" is not so direct here"
225:
16:Option in Extension Mechanisms for DNS
44:make it understandable to non-experts
7:
378:
376:
388:This Internet-related article is a
14:
144:Privacy and security implications
380:
161:Controversy over lack of support
23:
97:on whose behalf it is making a
1:
439:Domain name system extensions
346:Matthew Prince (4 May 2019).
392:. You can help Knowledge by
319:@archiveis (July 16, 2018).
293:10.1007/978-3-319-40667-1_17
83:Extension Mechanisms for DNS
173:has expressed concern over
155:DNS cache poisoning attacks
460:
375:
232:: CS1 maint: unfit URL (
114:authoritative name server
103:content delivery networks
165:The owner of self-serve
87:recursive DNS resolver
81:) is an option in the
151:internet surveillance
124:near to the client
175:Cloudflare 1.1.1.1
120:to a CDN which is
75:EDNS Client Subnet
401:
400:
302:978-3-319-40667-1
252:Google Developers
213:A Faster Internet
72:
71:
64:
451:
422:
415:
408:
384:
377:
367:
366:
360:
358:
343:
337:
336:
316:
307:
306:
282:
273:
262:
261:
259:
258:
244:
238:
237:
231:
223:
221:
220:
205:
67:
60:
56:
53:
47:
27:
26:
19:
459:
458:
454:
453:
452:
450:
449:
448:
429:
428:
427:
426:
373:
371:
370:
356:
354:
345:
344:
340:
318:
317:
310:
303:
280:
275:
274:
265:
256:
254:
246:
245:
241:
224:
218:
216:
207:
206:
202:
197:
163:
146:
122:geolocationally
89:to specify the
68:
57:
51:
48:
40:help improve it
37:
28:
24:
17:
12:
11:
5:
457:
455:
447:
446:
444:Internet stubs
441:
431:
430:
425:
424:
417:
410:
402:
399:
398:
385:
369:
368:
338:
327:) – via
308:
301:
263:
239:
209:"How it works"
199:
198:
196:
193:
189:Matthew Prince
162:
159:
145:
142:
107:load balancing
95:host or client
85:that allows a
70:
69:
31:
29:
22:
15:
13:
10:
9:
6:
4:
3:
2:
456:
445:
442:
440:
437:
436:
434:
423:
418:
416:
411:
409:
404:
403:
397:
395:
391:
386:
383:
379:
374:
365:
353:
349:
342:
339:
335:
330:
326:
322:
315:
313:
309:
304:
298:
294:
290:
286:
279:
272:
270:
268:
264:
253:
249:
243:
240:
235:
229:
214:
210:
204:
201:
194:
192:
190:
186:
182:
179:
176:
172:
171:Archive.today
168:
167:web archiving
160:
158:
156:
152:
143:
141:
139:
135:
131:
127:
123:
119:
115:
110:
108:
104:
100:
96:
92:
88:
84:
80:
76:
66:
63:
55:
52:February 2024
45:
41:
35:
32:This article
30:
21:
20:
394:expanding it
387:
372:
362:
355:. Retrieved
351:
341:
332:
284:
255:. Retrieved
251:
242:
217:. Retrieved
212:
203:
183:
180:
164:
147:
111:
78:
74:
73:
58:
49:
33:
352:Hacker News
433:Categories
257:2018-04-02
219:2018-03-27
195:References
185:Cloudflare
91:subnetwork
357:4 October
334:invalid.
228:cite web
118:hostname
112:When an
93:for the
329:Twitter
38:Please
299:
136:
130:subnet
325:Tweet
281:(PDF)
169:tool
390:stub
359:2021
297:ISBN
234:link
187:CEO
138:7871
289:doi
134:RFC
128:'s
99:DNS
79:ECS
42:to
435::
361:.
350:.
331:.
311:^
295:.
283:.
266:^
250:.
230:}}
226:{{
211:.
140:.
126:IP
421:e
414:t
407:v
396:.
323:(
305:.
291::
260:.
236:)
222:.
77:(
65:)
59:(
54:)
50:(
36:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.