Comment by CodeWriter23
7 years ago
@eastdakota what about just failing without response on archive.is calls so the second resolver address configured in the client will be used? I understand this is also a DNS integrity violation, however the result for the end user would be either the same if they don’t have a second resolver configured or enhanced if they do.
The current effect is I stop using 1.1.1.1 when I need archive.is (often) and set it back the next time I’m messing with my network settings.
DNS either has integrity or it doesn’t. We get a response from an Authoritative server and, as a Resolver, we believe our responsibility is to return it. If we start making exceptions because of bad PR, how can you trust us to do the right thing when the stakes are even higher (e.g., nationstate pressure)?
As an aside, I used to think that when Emerson said that “a foolish consistency is the hobgoblin of little minds” he meant that we were foolish to try and be consistent. Increasingly I wonder if instead he meant that when you’re trying to reason with people who may not have the same detailed knowledge of a problem as you, there’s an enhanced importance to being consistent. Unfortunately, most policy makers globally don’t have a detailed understanding of how technical systems like DNS work, so we think it’s especially important we be consistent.
My take on the Emerson quote you mention is to be mindful instead of mindless when it comes to consistency. I respect the commitment to consistency you convey (and I do think it is mindful).
I would recommend you leave exegesis of Emerson to the experts. What he meant is much closer to "pave the cowpaths" than "break things that currently work by enforcing arbitrary standards".
If you're going to that much trouble I suggest you just hardcode an IP address for archive.is into /etc/hosts. I've only had to change it once in the whole time I've used Cloudflare DNS (i.e. since the first day it was public).
If you use dnsmasq, you can special case archive.is to not be resolved via 1.1.1.1.
Also: it'd be nice if CloudFlare made a secondary DNS resolver (1.1.2.2?) that didn't pass along EDNS information, as a backup for websites like archive.is (and for anyone who cares about privacy).
I think you may have typo’d, but just in case:
1.1.1.1 does not send EDNS ECS data, specifically because of the privacy concern. So the hypothetical secondary resolver would need to send that data, for people who aren’t concerned about the privacy implications / want to get to archive.is.
Given CloudFlare’s stated message of prioritizing privacy, it seems unlikely they’d stand up infrastructure that behaved like 1.1.1.1 except that it leaked more private information.
My apologies! I misread the OP and thought that CloudFlare was being accused of violating privacy. Instead, it seems that CloudFlare is definitely making the right choice, and I can't see why archive.is has any objection.
1 reply →
I just added an entry for archive.is in my etc/hosts.
How do I do that on my iPhone?
It's possible using DNSCloak, under Advanced Options > Enable Cloaking.
You'll need to add a hosts file to your iCloud Drive.
Without jailbreaking, I don't think you do. You can do it at the router level with dnsmasq, but then you'd always have to be VPN-ed into that network when you are out and about.
Although, I believe Cloudflare DNS app on iphone uses a VPN iOS API to do it's thing, so it should be possible to put dnsmasq-like functionality into an iOS app. I don't know if this exists already.
You can’t. Not without jailbreaking, at least.