Previous discussion concerning this, which includes replies from Cloudflare: <a href="https://news.ycombinator.com/item?id=19828317" rel="nofollow">https://news.ycombinator.com/item?id=19828317</a>
This link and the two answers within demonstrate something important, broader than the DNS related issue at hand.<p>Both make implicit assumptions. One assumes the worst of Cloudflare and thinks “what’s the worst reason Cloudflare could have for doing this. How do they profit off this?” And the other assumes that Cloudflare has good intentions.<p>Neither answer is technically wrong. Both flow logically from their initial assumptions. But it shows how different our conclusions can be depending on where our initial biases lie. For the person who believes the first answer and says “prove to me that Cloudflare isn’t doing something nefarious”, it’s not possible. The analysis is correct and can’t be challenged unless the initial assumption is challenged. And for people who <i>strongly</i> believe that Cloudflare has bad intentions, nothing can be done to change their mind.<p>In this example it’s Cloudflare but it applies to any person or organisation that we feel strongly about.
> I consider EDNS-less requests from Cloudflare as invalid.<p>If your site depends on a DNS extension that's only 3.5 years old (and designed to be optional), I think it's fair to say your site is just offline for some users due to a config mistake.<p>You're free to set up your servers however you like, but there's wisdom in Postel's law.
I really don't see this as a problem of Cloudflare.<p>End users switching to Cloudflare's DNS endpoint are doing so because they feel the DNS provider is both faster and more secure.<p>They rightly made the decision NOT to pass on the end user's IP information to the upstream DNS server. I agree with this decision and they are acting in my best interests in doing so. To draw some kind of nefarious intention from this is absurd.<p>Until Cloudflare are proven to be nefarious actors, I'll continue to use their service.
I'm with some of the people on Twitter: It seems weird (to put it mildly) to just blackhole your own site with no explanation whatsoever to the end-user. For everyone on 1.1.1.1 archive.is will now be "down" and they're none the wiser.<p>Maybe there's a big backstory here, but without context that seems passive-aggressive and quite random?
I am no expert by any means. However, I strongly suspect EDNS is not actually needed to run a CDN. There’s a lot of approaches to balancing load and distributing traffic. An example of another approach would be using anycast IPs.<p>I’m also surprised that traffic from Cloudflare DNS users caused any significant problem. Was it really that much traffic?
> massive mismatch (...) of where DNS and related HTTP requests come from causes so many troubles<p>Does anyone know what they could mean here? I get that having more open connections and slow requests is not great, but there are popular attacks people will try against them in this case. They already have to handle pathologic cases of slow requests, so handling some small number of slower clients shouldn't be an issue.<p>Or are they talking about some other problem?
A lot of folks here seem to be saying "if you're going to make a DNS query, you're only going to make a HTTP request," which is simply untrue. Hell, you can add a HTML tag to your page to prefetch DNS queries. Browsers prefetch DNS just for hovering your mouse over a link or typing something into your address bar (without actually navigating). Should some DNS server know your IP address just because you moved your mouse over a link? IMO, no.
ECS is not equivalent to 'send the IP' but is revealing.<p>the fact that I subsequently connect to another place over HTTP or some other protocol is distinct from telling a DNS authority who is asking a question about a domain name: the article implies "its the same leakage" but it isn't: different people get told.
I don’t understand the privacy reason. If I am querying for domain x, why does it matter that domain x’s DNS servers know what IP I am querying them from? I am going to hit their web server directly with that very same IP in a few milliseconds anyway.
Does 1.1.1.1 send ECS info to Cloudflare’s own nameservers? More generally, does 1.1.1.1 in any way treat Cloudflare’s own nameservers in a special way and send it information that it doesn’t send to others?<p>If the answer to these questions is no, then Cloudflare’s reasons for blocking ECS (ie privacy) carry weight. Otherwise no.
Not sure why this is a link to stackexchange as the second answer is lifted from the previous HN discussion on the topic<p><a href="https://news.ycombinator.com/item?id=19828317" rel="nofollow">https://news.ycombinator.com/item?id=19828317</a>
I think decision of archive.is is very interesting.
1) They attracted a lot of attention;
2) They showed the way to struggle with Cloudflare business that abuse their service.<p>If several bigger CDNs like akamai or softlayer will consider requests from 1.1.1.1 without EDNS as invalid and block them, Clouldflare wouldn't be able just to say that it's their own problems