Comment by floatingatoll
7 years ago
Text of tweet by @archiveis:
"Having to do" is not so direct here. Absence of EDNS and massive mismatch (not only on AS/Country, but even on the continent level) of where DNS and related HTTP requests come from causes so many troubles so I consider EDNS-less requests from Cloudflare as invalid.
For additional context, here is the Cloudflare explanation about EDNS client subnets:
> EDNS Client Subnet > >1.1.1.1 is a privacy centric resolver so it does not send any client IP information and does not send the EDNS Client Subnet Header to authoritative servers.
Cloudflare's requests are of course perfectly valid, with @archiveis actively deciding not to service them.
It has nothing to do with privacy, as the next thing following DNS resolution is establishing a TCP connection which always leaks full IP address to the same person or organization controlling authoritative servers. Basically EDNS is just a convenient way for DNS-based CDNs to provide a better edge node. But this is directly competing with Cloudflare, so Cloudflare invents excuses not to implement something that helps other CDNs.
See the CEO's comment: https://news.ycombinator.com/item?id=19828702
> We’re aware of real world examples where nationstate actors have monitored EDNS subnet information to track individuals, which was part of the motivation for the privacy and security policies of 1.1.1.1.
So it's not just "Cloudflare benefits from pushing anycast" (even if that's part of it).
7 replies →
That's not true.
Many setups proxy everything but dns traffic.
That's why this topic is a thing.
https://trac.torproject.org/projects/tor/wiki/doc/Preventing...
> the next thing following DNS resolution is establishing a TCP connection which always leaks full IP address to the same person or organization controlling authoritative servers
Depends who runs the authoritative servers - if you hit the authoritative DNS services for most of my domains, you are providing your information to 123-Reg (or, increasingly, Google), if you start a TCP connection, you are providing it to me.
The fallback should be to do GeoDNS based on the resolver's IP. In case of Cloudflare that's certainly good enough, since they've got 150+ POPs.
> requests come from causes so many troubles
Given they serve their pages over tor, I don't buy that explanation at all. Assuming location of client == location of CloudFlare source would give them a rough match in most cases. In tor they're almost guaranteed to be wrong.
Ah yes, the huge trouble of a website that is a few MS slower as opposed to just not working at all.
I’m not sure I see what kind of logic goes into this argument.