Comment by twhb
7 years ago
Thank you for your comment.
Since HTTPS traffic already reveals communicating IPs to nation-state actors, could you clarify what attack vector removing user IP info from authoritative DNS queries protects against?
In what way does Cloudflare publish its PoP geolocation? Is it a Cloudflare-specific API? Why not fake EDNS subnet info by providing the PoP’s?
I notice of course that Google, Facebook, and Netflix still work on 1.1.1.1. Does this mean they’re currently using Cloudflare PoP geolocation in lieu of EDNS subnet information?
Its preventing the DNS authority to know the IP of who is making the request.
CloudFlare decided its DNS should be the authority to the end user and Archive.is's DNS should be the authority only to CloudFlare. CloudFlare is breaking the bond between the end user and the Service provider.
What CloudFlare is doing is centralizing authority to itself rather allowing authority to be distributed to all owners of the domains as intended. An argument can be made that by using 1.1.1.1 you are granting CF permission to act in this role - some users may even prefer it.
This is no different than any 3rd party DNS service. If the resolving DNS server you hit doesn't have a cached response, it reaches out to the upstream resolver. It doesn't pass your IP along to the upstream resolver
Did I say something that was untruthful?
1 reply →