258
        you are viewing a single comment's thread
view the rest of the comments
    
  
  
    view the rest of the comments
        this post was submitted on 30 Aug 2023
        
  
      
  
      258 points (100.0% liked)
      Technology
    40580 readers
  
      
      374 users here now
  
      A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
Subcommunities on Beehaw:
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
        founded 3 years ago
      
  
  
      MODERATORS
      
  
    
I see... not sure I approve, but I see.
That's precisely one of the issues with EDNS, already described 10 years ago:
(https://00f.net/2013/08/07/edns-client-subnet/)
From the CEO's reply on YC:
(https://news.ycombinator.com/item?id=19828702)
Seems like dropping the originating address is a reasonable action on their part.
Only thing they could possibly do, would be to replace the originating address with the address of the particular DNS resolver in their network, which they said they had 180 of... but that would still reveal your geographic area in case of a VPN leak.
On the other hand, if you don't care about any of that, why not use Google's 4.4.4.4?
The reason I'm saying use a VPN is because you're presumably visiting the site anyway, so leaking your full IP to them anyway. You can route your DNS lookups through what server you like, obviously. (Again, the privacy issue would be not that you're leaking part of your IP to archive.is, but to everyone in the chain of recursive DNS resolvers). You could use TOR too, I think even in this thread someone posted a TOR url for it.
Cloudflare do make the DNS queries from 1 of their 180 locations, so there is some information being passed through about where the request is coming from in terms of load balancing.
I'm not arguing that Cloudflare are doing the wrong thing by omitting ECS data in general. Just that site owners have a right to do as they like WRT people using their website and if that includes blocking Cloudflare, so be it. What he is doing is not legal (or at least grey area) in many countries so anything that makes his life easier is understandable IMO.
Also, ECS leaking does not seem like a real concern for the vast majority of people surfing the net.
Lastly I don't think Google own 4.4.4.4, did you mean 8.8.4.4?
I know what you meant with the VPN. Just saying that CloudFlare is using the VPN leakage case to justify not supporting ECS. As for the rest of the problems, DNS servers that suport ECS, hopefully have already implemented countermeasures.
Indeed Archive.is is free to block whoever he wants... he's just using a weird argument, particularly when there is an onion address for it, which is kind of the opposite of a CDN... or I don't understand his side completely. It feels to me like both sides are sticking to their stances, when either or both could fix the issue without much of a problem.
Damn. Yeah, I meant 8.8.8.8 and 8.8.4.4. Brain fart.
There's a comment on one of the HN threads that gives a little more insight - basically it helps him combat abuse by routing requests to the closest server outside of the requesting ips area: https://news.ycombinator.com/item?id=36971650
Not sure how that argument really holds up to scrutiny but it's something.
Oh, so he's not using a CDN, but a sort of "anti"-CDN.
Wonder why 😆
Yes, that holds up to scrutiny pretty well.
...and that's a dick move on part of CloudFlare.