WingNews logo WingNews
top | item 36577283

(no title)

rampant_ai | 2 years ago

Holy hell this drove me crazy the other day. Firefox wouldn't work, but my backup, Chrome, did. But a fresh Firefox profile also worked.

So I figured I must've left a bad user-agent string or something in my about:config. But after lots of trial and error with FF settings, curl/dig, with VPN, without VPN... turns out it was because I was using Cloudflare DNS. I forgotten I'd switched a while back when I was getting dropped packets to quad9.

My best assessment is for whatever reason Cloudflare's DNS gives a different A record pointing to a non-TLS (or broken TLS) redirect, so Chrome worked because that's allowed by default. A fresh FF profile also worked because it defaults to DoH thus bypassing the problem completely. My VPN worked because it has its own DNS. But because my daily driver FF profile is set to use system DNS with forced TLS, it'd hit the broken redirect it got from Cloudflare and die.

So as usual, it was DNS.

discuss

order

ollien|2 years ago

Correct - archive.is doesn't like not getting EDNS from Cloudflare (https://jarv.is/notes/cloudflare-dns-archive-is-blocked/), so Cloudflare sends you to 1.1.1.7 to indicate a problem.

jgrahamc|2 years ago

Just to be clear: there's no Cloudflare special case here. We're not sending you to 1.1.1.7. We just send whatever the archive.is auth servers decide to send to us. They are auth after all. If we returned 1.1.1.7 it's because they did.

rampant_ai|2 years ago

So archive.is is upset Cloudflare isn't forwarding the EDNS data, even though the feature's RFC itself states:

> If we were just beginning to design this mechanism, and not documenting existing protocol, it is unlikely that we would have done things exactly this way.

--/--

> We recommend that the feature be turned off by default in all nameserver software, and that operators only enable it explicitly in those circumstances where it provides a clear benefit for their clients. We also encourage the deployment of means to allow users to make use of the opt-out provided. Finally, we recommend that others avoid techniques that may introduce additional metadata in future work, as it may damage user trust.

Seems archive.is is in the wrong here, which is a little surprising. Don't meet your heroes I guess. But then I also can't see their rebuttal because Twitter is currently a dumpster fire.