Note that if you use 1.1.1.1, you apparently can't visit archive.is links. I'm not sure why, but around a dozen people on HN have confirmed this. (At least as of a couple months ago.)
I think the world could use more alternatives to 8.8.8.8. Hopefully 1.1.1.1 will become more reliable as the years tick by.
(Do you use something besides 8.8.8.8 or 1.1.1.1? If so, post it here! Collecting reliable DNS servers might be a niche hobby, but it's a fun one. I was going to suggest 9.9.9.9 aka Quad9, but apparently it comes with strings attached. https://news.ycombinator.com/item?id=16728214)
Cloudflare doesn't support the DNS Extension that sends part of clients' IPs to the upstream resolver (https://en.m.wikipedia.org/wiki/EDNS_Client_Subnet). Cloudflare believes this is better for privacy.
Archive.is doesn't like this (because it prevents DNS-based CDN routing), and thus has a hardcoded exception to intentionally return bogus results to Cloudflare's resolvers.
I think it's also worth noting that Cloudflare's implementation is EDNS compliant. The EDNS extension for sending the client subnet is explicitly optional in the standard.
Cloudflare's lack of EDNS doesn't prevent DNS based routing. It can still be done based on the DNS request's source address. This will be the IP of the Cloudflare POP closest to the client.
Lack of EDNS only makes DNS based routing slightly worse if your CDN has a POP density similar-or-greater-than Cloudflare's.
Correct. Cloudflare's POP routing is quite extensive, and I'd be shocked if archive.is had more than a handful of backends it's routing to.
Even so, why would an extra few dozen ms matter at all? Archive.is appears to be spindle-limited, is a client with marginally higher RTT an issue? The admin is silly.
It seems so silly and mysterious that it makes me wonder if archive.today wants exact client IP addresses for some other unstated reason. (It's not clear how/if archive.today, a possibly illegal site, brings in revenue?).
> it makes me wonder if archive.today wants exact client IP addresses for some other unstated reason
They still get the client ip from the request to the service itself (unless you're using a VPN, but if you're using a VPN then archive wouldn't get your ip from your DNS request either).
You could probably take their network map SVG and convert the circle coordinates from integer Mercator projection points to lat/lon pairs, and then map them to cities.
There are two missing facts here that change the story quite a bit:
- In addition to not supporting EDNS, Cloudflare sends DNS requests from effectively random PoPs, so the recipient doesn’t know even the visitor’s nationality.
- The reason archive.is doesn’t like this is it makes them vulnerable to DoS attack.
If I understand this correctly, that's hilarious -- Cloudflare is essentially saying that nobody can layer their own cloudflare-like offering on top of their DNS. Edge-routing is their bread and butter!
If you want to use the client's IP geolocation to resolve a CNAME to an edge server, this blocks you from doing so. You have to buy Cloudflare's products to get this benefit, and use their edge servers.
> We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results. For a relatively small operator like archive.is, there would be no loss in geo load balancing fidelity relying on the location of the Cloudflare PoP in lieu of EDNS IP subnets.
We are working with the small number of networks with a higher network/ISP density than Cloudflare (e.g., Netflix, Facebook, Google/YouTube) to come up with an EDNS IP Subnet alternative that gets them the information they need for geolocation targeting without risking user privacy and security.
I do think that this has the effect of locking customers into Cloudflare's geoip data, which seems a little sketchy. The operator of archive.is claims that the data itself is bad[1] but I can't speak to his biases or motivations.
If the data is incomplete or bad, then you gain an advantage by using Cloudflare's services over rolling your own or using a competitor if a large number of customers are using their DNS, so I think the original point does stand. And if you are a competitor, your ability to compete with greater edge capacity or more targeted edge capacity is nonexistent.
Let's say you have more fine-grained capacity in a given metro than Cloudflare has in an attempt to provide additional value in that metro than Cloudflare can offer. You are blocked from doing so if endusers are using Cloudflare DNS.
I don't know if this is happening at the moment, but it's pretty clear that there is no real incentive to even attempt this given that you simply will not be able to offer any benefits because you don't have the data.
Who would set up ( or use) a dns that is better in 1 metro in the world? Do you?
The example given doesn't make any sense.
You're just giving an ideological example. Not one that occurs in the real world.
Here is one that actually happens: Using cloudflare DNS to protect privacy is one that occurs in the real world and eg. Apple is using them for exactly that.
But let's repeat:
> We are working with the small number of networks with a higher network/ISP density than Cloudflare (e.g., Netflix, Facebook, Google/YouTube) to come up with an EDNS IP Subnet alternative that gets them the information they need for geolocation targeting without risking user privacy and security.
> We are working with the small number of networks with a higher network/ISP density than Cloudflare (e.g., Netflix, Facebook, Google/YouTube) to come up with an EDNS IP Subnet alternative that gets them the information they need for geolocation targeting without risking user privacy and security.
---
I don't know what happened between that statement and now. Since they were working together with eg. Google to solve it.
99% of the time I just talk directly to the root servers from my home network and pre-cache the most popular places I visit. Unbound also supports DoH but most distributions of Linux do not enable that compile time flag in their Unbound package build and I have long since stopped compiling things as most distributions finally started using the right security options in their builds. I also have DoT running at home which the cell phone figured out on it's own.
I keep DoT Unbound DNS running on several VPS providers that also talk directly to the root servers just in case. Useful for cell phones. My ISP is a tiny community ISP and would never filter any results and DNS privacy is just one tiny piece of browsing habits. Until encrypted SNI is fully adopted by all SSL libraries and applications they can still see where I browse unless I am using my own Tinc VPNs or SSH tunneling.
I prefer to use my own server as I can optimize cache hit ratios for the things I request. This makes the internet perceptibly faster for me and others on my network. I can also pull statistics from my server whereas I would have to beg someone at the ISP for that data as a one-off request. This also gives me the option to block domain names used for dark patterns or outright malevolent behavior. I also have control over the upper and lower limits of cache and I can flush to cache if a website is still relying upon DNS failover vs BGP Anycast but I have not run into that for about a decade.
Speaking of stats, I can also see what IoT/Cell devices are requesting to keep an eye on their behavior and look for interesting patterns of DNS requests.
I have honestly never used the ISP DNS servers so I don't know what their performance is like. It's just muscle memory for me to set up my own home Linux router to be a DNS server. I highly doubt they could top the performance of Unbound and cron-jobs that request commonly used records on an hourly basis. I do know that my performance is better than talking to the DoH/DoT servers on the internet. The cached record response time is in microseconds vs 23ms for CF and non cached response time is generally between 50ms and 70ms vs 80ms to 160ms for CF not-cached.
Another nifty option in Unbound is to cache the "Infrastructure" records and to "Keep Probing" multiple nodes. This combines into a nice balance of speed and resilience especially if someones name server is having a moment but their status page is green.
unbound-control dump_infra|wc -l
1235
These numbers are thrown off a bit by my cron jobs that are requesting things that I am not visiting all the time and when the authoritative record is sub 3600 seconds. They are requested hourly. Some of the government domains in my cron job seem to be throwing off the curve, I will reach out to them.
Yeah, local caching is a good point if your operating system(s) doesn't already do it in the DNS client.
> This also gives me the option to block domain names used for dark patterns or outright malevolent behavior.
I wonder how long this will actually remain possible, given that with DoH it now seems entirely feasible for websites to provide their own application-level DNS resolver?
I wonder how long this will actually remain possible, given that with DoH it now seems entirely feasible for websites to provide their own application-level DNS resolver?
For me, forever. Applications can not bypass my DNS unless they are hard coding IP addresses in the application. Windows Update does have some hard coded IP addresses it can fall back on.
It is often said that DoH can't be blocked because in theory it can be hosted on any generic CDN IP pool but to my knowledge this has never been the case. It's quite the opposite, most DoH/DoT providers try to use vanity IP addresses. I null route them and NXDOMAIN the canary domain use-application-dns.net which is entirely optional but a nice gesture to applications to behave. Some vendor may decide one day to host their own DoH/DoT servers but I suspect I would learn about them. I would likely just avoid buying/using that device/application.
Perhaps some day a DoH provider may be so bold as to use a generic CDN pool and I will have to address that issue when it arises. I suspect this would be more challenging for the provider as the app/device will need a way to discover this pool DNS name, HTTP headers, API calls, etc... unless they hard code IP's. Either way I could dynamically null route them.
That is a good write-up on Paul's comments. I think he has an account here on HN. I recall discussing similar concerns here on HN when the protocol was first being discussed but I think most of my concerns were largely ignored. People were enamored by the idea of DoH but I see it as exacerbating a few problems.
It does not really address the issue of privacy unless one is only making DNS requests and not doing anything with said DNS results, as encrypted SNI is still not widely adopted. I guess I would call that cart before the horse. It does not prevent an abusive ISP from blocking access to a site as they can just block all the DoH resolvers or just NXDOMAIN the canary domain which also turns it off by default on most browsers. The bigger issue to me is that it doubles the number of organizations that can track behavior. Now my ISP gets this data and so does Cloudflare if I am the type to leave things default as most people are and they know it. CF may not wish to block something but should they receive a court order from any country they do business in then most people will lose access to something. That could be a future phase we have not yet reached due to mass adoption not reaching a set goal at this time. This is also a one-stop-shop for law enforcement to gather browsing data vs. having to issue a court order to each ISP.
Some people mention it protects against rogue nations but they are by far the last people that DoH would be useful for. Rogue / bad / totalitarian nations will just null route anything they suspect to be a DNS servers not in their control and will extract people from their homes to re-educate them. In a way I can see DoH as being a risk to people in such situations. Meaning they could be accused of bypassing some state level control and may not even realize they were.
In my opinion DoH/DoT should have been highly customizable in a GUI before it was ever implemented and default-off, default opt-out settings and instead if the browser or ideally the OS recognizes it is in a shared WiFi then maybe prompt the person to temporarily enable DoH. That's another issue, it's in the browser and not the OS. So the browser gets protection but nothing else does at least for the last few years. That is coming soon to some operating systems. Curious if they make it obvious what DNS partnership is in place.
> Applications can not bypass my DNS unless they are hard coding IP addresses in the application.
That's what I mean: What if websites and applications just start querying IP addresses for the hostnames they want to connect to over DoH (to api.someapp.com, so you can't distinguish it from a regular API call that you want to allow for the app to work), and then connect to the resolved IP directly?
I reroute all DNS queries attempting to leave my network to my DNS server. It won't work in scenarios where there is DoH without user consent, however at that point I should reconsider purchasing such hostile devices.
Then I reach out to them and say something to the effect of, "Hey, nice application/device you have there! In order for anyone on my network to utilize this app/device the DNS would need to be put back into your DNS servers and removed from the API records." Of course they will laugh at me but that is fine given that 100% of the internet and internet connected devices are entirely optional for me. It is unlikely that a statistically significant number of people would use this heavy handed approach. Or perhaps I am OK with their API method and make use of their API that bypasses DNS. This probably depends on if this is malicious or not. i.e. serving ads or malware
Another heavy-handed option would be to force all traffic through a MITM proxy which I have done in the past. Any device that can't have my CA cert loaded would be a paperweight and thus returned to Amazon with less than 5 stars and a review that details the DNS implementation which most customers would not care about or understand but my fellow cranky network admins may find useful. If it's a website then I would just not use it. Some businesses take this approach. There are both commercial and open source solutions for this. Look for Squid SSL-Bump MITM proxy if one is curious. This requires bypasses for domains still using public key pinning which is an insignificant number of them. Most have moved away from HPKP due to the induced fragility and risks.
There are other methods but they come with security implications such as decompiling applications, shimming something into it or pre-loading libraries to do the same thing but this usually requires rooting a device and potentially compromising security as the vendor signing may be removed. I'm sure some of the mobile developers here have more elegant and secure methods.
I doubt many would do any of this of course, but you asked.
But your home DNS server has to talk to some other server to get the IPs right? Usually it's like DNSMasq configured to cache and forward requests to 8.8.8.8 or whatever.
Is there some other option where you talk directly to the top level DNS root and the nameservers directly??
Edit: my bad you said you talk to the root servers directly. Not sure how to delete comments
Edit: my bad you said you talk to the root servers directly. Not sure how to delete comments
It's still a valid question. You are right, one has to bootstrap the root servers. There are a few ways to do this. Assuming one had working DNS server at some point in the past they can
and then do sanity checks on the output prior to loading it as hints in Unbound DNS. The 3K or so root servers are Anycast IP addresses and rarely change so this file will not be stagnant for a very long time thus making thumb drives a valid way to store and transfer this file.
That is useful for the initial bootstrapping but should be updated or at least validated a few times a year. If package maintainers are updating it a few times a year that works too.
> Note that if you use 1.1.1.1, you apparently can't visit archive.is links. I'm not sure why, but around a dozen people on HN have confirmed this. (At least as of a couple months ago.)
I’m a big fan of NextDNS, ad filters, logs (or not), block list, allow list, multiple profiles, parental-ish controls. They have binaries to add support for DoH to my router. I literally couldn’t be happier with a DNS provider.
My one gripe is with the block / parental controls interface.
Let’s say you want to block Peacock, and there’s a bunch of urls you want to block, each is it’s own individual rule. If you accidentally delete one instead of disable it, it’s gone. If you can remember the url you accidentally deleted, now it’s placed at the top of the list, out of order. There appears to be no log of changes you make. It would be nice to be able to add custom parental controls with sets/bundles of urls.
Also you can’t toggle or package ad blocking rules, only delete and add. Sort of the same interface complaint as above. I have to go in and delete four ad blocking packages every time I want to watch Paramount+. Then go find them again when I am done.
the marketing copy on dns0 is lol considering the many ISP data retention schemes across EU states.
> The European public DNS that makes your Internet safer.
> A free, sovereign and GDPR-compliant recursive DNS resolver with a strong focus on security to protect the citizens and organizations of the European Union.
> In a decree made public today, French Prime Minister Élisabeth Borne has extended the temporary retention of communications data of all citizens in France for another year. The blanket retention obligation concerns identity data (surname, first name, date and place of birth, postal address(es), e-mail address(es), telephone number(s)) as well as payment information, connection data (IP addresses, port numbers, identification numbers of users and their devices, date, time and duration of each communication, data on supplementary services and their providers)
300k is a lot to be fair. And if that’s not enough it’s something like 20$ a year. It’s the only way I found to block ads (except in YouTube) on the iPhone.
Switched off 1.1.1.1 for that reason a while back. Currently using OpenDNS which is now unfortunately owned by Cisco. Definitely a lack of actually open alternatives.
Indeed, this is my preferred solution too. Unfortunately this doesn’t protect one from snooping by network intermediaries, although that’s much less of an issue in the EU due to privacy regulations. At least in principle, but it’s hard to be sure.
Run your own resolver on a vpc (perhaps in a different country, pay with bitcoin, adjust on your level of concern) and WireGuard to it (perhaps WireGuard over a service like mullvad)
I used to use OpenDNS, but then out of nowhere they decided to enable parental control by default[1] and without an account I don’t think I could disable it.
I run Pihole. How does it solve upstream DNS provider troubles; it still needs / uses them? I'll admit there's a lot of Pihole config I have not explored.
I have set up Cloudflare DoH in my router, I block other popular DoH servers on my network and I also redirect any other DNS queries (UDP 53) to my router's DNS (which in turn uses Cloudflare).
And at least in my region (EU) I did not notice any issues with 1.1.1.1.
Maybe your computer ignores the DNS resolver address suggested by your router? You can check with dig what resolver you’re using, if you’re on a Unix-like system.
Well. I used archive.is a lot. But Cloudflare has a point by not making a specific adjustment to fix the archive.is issue ( since it's on archive.is their end).
As a "collector of reliable DNS servers"^1 I can report there are DoH servers that will actually take a traditional DNS query that does not support EDNS0 and, perhaps using the client IP from the TCP connection, return a response that includes EDNS0 Client Subnet (ECS). Whether the DoH provider is sending the ECS to authoritative servers I do not know, but to me it is quite sad to see this being returned in the response given I did not request it. Anyway, ECS is supposedly the reason 1.1.1.1 does not include DNS data for archive.is
The site once used a tracking pixel as a poor mans ECS. The client IP address was inserted into the image name. Apparently the operator of the site explained this was used to achieve CDN-like functionality:
1. Perhaps we should be clear that "servers" here means open resolvers. These servers are of course not authoritative for any name, and generally recursion is slower than iteration, i.e., use of authoritative servers only (fee free to challenge me on this and I will share a citation, although I know this is true from own experiments). Thus "reliable" is perhaps ambiguous. Not all of them always return the same results. Some will return different answers, and not always for "load balancing" reasons. Some may be missing data entirely. Some will return wrong answers, e.g., pretending to be authoritative. Much DNS funny business on the internet today. I gather results from a variety of resolvers, from authoritative servers as well as other sources of DNS data, e.g., public zone files, scans and crawls, and I compare notes; I personally would not feel comfortable using one open resolver (third party DNS) as the source for all DNS data; I could not rely on it. As such, "reliable" is IMHO a loaded term if used to describe open resolvers.
Cloudflare is in the wrong here. Archive.is had to develop a unique CDN system to protect against illegal content being uploaded and immediately reported, which led to server seizures and downtime. Cloudflare's DNS disrupts this system, putting archive.is at risk. Archive.is even offered to proxy Cloudflare DNS users via their CDN, but Cloudflare rejected the proposal. This leaves archive.is in a vulnerable position, and it's unreasonable to expect them to register their own autonomous system just to fix this issue.
I was using Cloudflare DNS for a while until learning it was the cause of archive brokenness, switched to Google DNS, and recently have started trying out Adguard DNS just out of curiosity of trying out DNS-over-QUIC (requires a VPN app that supports that). Can't say whether it's better or worse but always fun to try out a new tech.
Duuuuuude, thank you so much! I was using 9.9.9.9 and it didn't work for me at all. Got stuck in a loop with the captcha for months now. Archive.is is essential for me. Using 9.9.9.11 fixed it for me.
I think the world could use more alternatives to 8.8.8.8. Hopefully 1.1.1.1 will become more reliable as the years tick by.
(Do you use something besides 8.8.8.8 or 1.1.1.1? If so, post it here! Collecting reliable DNS servers might be a niche hobby, but it's a fun one. I was going to suggest 9.9.9.9 aka Quad9, but apparently it comes with strings attached. https://news.ycombinator.com/item?id=16728214)