← Back to context

Comment by arghwhat

7 years ago

For additional context, here is the Cloudflare explanation about EDNS client subnets:

> EDNS Client Subnet > >1.1.1.1 is a privacy centric resolver so it does not send any client IP information and does not send the EDNS Client Subnet Header to authoritative servers.

Cloudflare's requests are of course perfectly valid, with @archiveis actively deciding not to service them.

12 comments

arghwhat

Reply
zzzcpan  7 years ago

It has nothing to do with privacy, as the next thing following DNS resolution is establishing a TCP connection which always leaks full IP address to the same person or organization controlling authoritative servers. Basically EDNS is just a convenient way for DNS-based CDNs to provide a better edge node. But this is directly competing with Cloudflare, so Cloudflare invents excuses not to implement something that helps other CDNs.

  • judge2020  7 years ago

    See the CEO's comment: https://news.ycombinator.com/item?id=19828702

    > We’re aware of real world examples where nationstate actors have monitored EDNS subnet information to track individuals, which was part of the motivation for the privacy and security policies of 1.1.1.1.

    So it's not just "Cloudflare benefits from pushing anycast" (even if that's part of it).

    • zzzcpan  7 years ago

      So, what he claims is that state actors monitor traffic at certain locations, extract subnet information from DNS packets that only large centralized DNS resolvers include when query some authoritative servers that where probed to support that feature. That subnet is not a subnet of an end user IP address, but an IP address of a recursive resolver of that user's ISP. They have to correlate that information with a connection made from that ISP to a web server to track the user. What 1.1.1.1 brings here? State actors now can correlate an actual IP address sending data to 1.1.1.1, with a clear text DNS query going out of it, making tracking more reliable and simple and worse for privacy. And still worse for other CDNs.

      Don't take Cloudflare's PR seriously, they are completely full of it. They used to be more honest, but those days are long gone.

      6 replies →

  • stordoff  7 years ago

    > the next thing following DNS resolution is establishing a TCP connection which always leaks full IP address to the same person or organization controlling authoritative servers

    Depends who runs the authoritative servers - if you hit the authoritative DNS services for most of my domains, you are providing your information to 123-Reg (or, increasingly, Google), if you start a TCP connection, you are providing it to me.

  • tambre  7 years ago

    The fallback should be to do GeoDNS based on the resolver's IP. In case of Cloudflare that's certainly good enough, since they've got 150+ POPs.