Note that if you use 1.1.1.1, you apparently can't visit archive.is links. I'm not sure why, but around a dozen people on HN have confirmed this. (At least as of a couple months ago.)
I think the world could use more alternatives to 8.8.8.8. Hopefully 1.1.1.1 will become more reliable as the years tick by.
(Do you use something besides 8.8.8.8 or 1.1.1.1? If so, post it here! Collecting reliable DNS servers might be a niche hobby, but it's a fun one. I was going to suggest 9.9.9.9 aka Quad9, but apparently it comes with strings attached. https://news.ycombinator.com/item?id=16728214)
Cloudflare doesn't support the DNS Extension that sends part of clients' IPs to the upstream resolver (https://en.m.wikipedia.org/wiki/EDNS_Client_Subnet). Cloudflare believes this is better for privacy.
Archive.is doesn't like this (because it prevents DNS-based CDN routing), and thus has a hardcoded exception to intentionally return bogus results to Cloudflare's resolvers.
99% of the time I just talk directly to the root servers from my home network and pre-cache the most popular places I visit. Unbound also supports DoH but most distributions of Linux do not enable that compile time flag in their Unbound package build and I have long since stopped compiling things as most distributions finally started using the right security options in their builds. I also have DoT running at home which the cell phone figured out on it's own.
I keep DoT Unbound DNS running on several VPS providers that also talk directly to the root servers just in case. Useful for cell phones. My ISP is a tiny community ISP and would never filter any results and DNS privacy is just one tiny piece of browsing habits. Until encrypted SNI is fully adopted by all SSL libraries and applications they can still see where I browse unless I am using my own Tinc VPNs or SSH tunneling.
> Note that if you use 1.1.1.1, you apparently can't visit archive.is links. I'm not sure why, but around a dozen people on HN have confirmed this. (At least as of a couple months ago.)
Switched off 1.1.1.1 for that reason a while back. Currently using OpenDNS which is now unfortunately owned by Cisco. Definitely a lack of actually open alternatives.
I have set up Cloudflare DoH in my router, I block other popular DoH servers on my network and I also redirect any other DNS queries (UDP 53) to my router's DNS (which in turn uses Cloudflare).
And at least in my region (EU) I did not notice any issues with 1.1.1.1.
Well. I used archive.is a lot. But Cloudflare has a point by not making a specific adjustment to fix the archive.is issue ( since it's on archive.is their end).
As a "collector of reliable DNS servers"^1 I can report there are DoH servers that will actually take a traditional DNS query that does not support EDNS0 and, perhaps using the client IP from the TCP connection, return a response that includes EDNS0 Client Subnet (ECS). Whether the DoH provider is sending the ECS to authoritative servers I do not know, but to me it is quite sad to see this being returned in the response given I did not request it. Anyway, ECS is supposedly the reason 1.1.1.1 does not include DNS data for archive.is
The site once used a tracking pixel as a poor mans ECS. The client IP address was inserted into the image name. Apparently the operator of the site explained this was used to achieve CDN-like functionality:
1. Perhaps we should be clear that "servers" here means open resolvers. These servers are of course not authoritative for any name, and generally recursion is slower than iteration, i.e., use of authoritative servers only (fee free to challenge me on this and I will share a citation, although I know this is true from own experiments). Thus "reliable" is perhaps ambiguous. Not all of them always return the same results. Some will return different answers, and not always for "load balancing" reasons. Some may be missing data entirely. Some will return wrong answers, e.g., pretending to be authoritative. Much DNS funny business on the internet today. I gather results from a variety of resolvers, from authoritative servers as well as other sources of DNS data, e.g., public zone files, scans and crawls, and I compare notes; I personally would not feel comfortable using one open resolver (third party DNS) as the source for all DNS data; I could not rely on it. As such, "reliable" is IMHO a loaded term if used to describe open resolvers.
Cloudflare is in the wrong here. Archive.is had to develop a unique CDN system to protect against illegal content being uploaded and immediately reported, which led to server seizures and downtime. Cloudflare's DNS disrupts this system, putting archive.is at risk. Archive.is even offered to proxy Cloudflare DNS users via their CDN, but Cloudflare rejected the proposal. This leaves archive.is in a vulnerable position, and it's unreasonable to expect them to register their own autonomous system just to fix this issue.
I was using Cloudflare DNS for a while until learning it was the cause of archive brokenness, switched to Google DNS, and recently have started trying out Adguard DNS just out of curiosity of trying out DNS-over-QUIC (requires a VPN app that supports that). Can't say whether it's better or worse but always fun to try out a new tech.
I’ve just started using Warp+ and it has been excellent for my specific use case: better peering to my Plex server while in another continent. Plex was unusable and now it’s not. Overall very happy despite this brief outage.
What's the point of having a secondary endpoint 1.0.0.1 if an outage breaks both that and 1.1.1.1? Are these two servers not running in physically isolated regions with independent code deploys?
Found it the reverse chronological order (with timestamps being a smaller/lighter font, at least on mobile) to have caused extra thinking, which, for a status, seems undesireable.
I get wanting to expose the latest thing first, but the "top-posting" style seems intuitive. Perhaps, as a compromise, a status page would have a "Latest" block at the top, with the timestamp prominent, where the latest known status would be placed by whatever makes the updates, but the updates themselves are in the chronological order?
sillysaurusx|2 years ago
I think the world could use more alternatives to 8.8.8.8. Hopefully 1.1.1.1 will become more reliable as the years tick by.
(Do you use something besides 8.8.8.8 or 1.1.1.1? If so, post it here! Collecting reliable DNS servers might be a niche hobby, but it's a fun one. I was going to suggest 9.9.9.9 aka Quad9, but apparently it comes with strings attached. https://news.ycombinator.com/item?id=16728214)
cmeacham98|2 years ago
Cloudflare doesn't support the DNS Extension that sends part of clients' IPs to the upstream resolver (https://en.m.wikipedia.org/wiki/EDNS_Client_Subnet). Cloudflare believes this is better for privacy.
Archive.is doesn't like this (because it prevents DNS-based CDN routing), and thus has a hardcoded exception to intentionally return bogus results to Cloudflare's resolvers.
LinuxBender|2 years ago
99% of the time I just talk directly to the root servers from my home network and pre-cache the most popular places I visit. Unbound also supports DoH but most distributions of Linux do not enable that compile time flag in their Unbound package build and I have long since stopped compiling things as most distributions finally started using the right security options in their builds. I also have DoT running at home which the cell phone figured out on it's own.
I keep DoT Unbound DNS running on several VPS providers that also talk directly to the root servers just in case. Useful for cell phones. My ISP is a tiny community ISP and would never filter any results and DNS privacy is just one tiny piece of browsing habits. Until encrypted SNI is fully adopted by all SSL libraries and applications they can still see where I browse unless I am using my own Tinc VPNs or SSH tunneling.
iamdbtoo|2 years ago
https://news.ycombinator.com/item?id=19828317
lxgr|2 years ago
https://community.cloudflare.com/t/archive-today-works-again...
frankjr|2 years ago
https://news.ycombinator.com/item?id=19828702
shasts|2 years ago
I like the 300K requests per month free tier that nextdns.io has. Comes with plenty of filters.
re5i5tor|2 years ago
Jnr|2 years ago
I have set up Cloudflare DoH in my router, I block other popular DoH servers on my network and I also redirect any other DNS queries (UDP 53) to my router's DNS (which in turn uses Cloudflare).
And at least in my region (EU) I did not notice any issues with 1.1.1.1.
NicoJuicy|2 years ago
So, I don't go to archive.is anymore.
lgeorget|2 years ago
1vuio0pswjnm7|2 years ago
The site once used a tracking pixel as a poor mans ECS. The client IP address was inserted into the image name. Apparently the operator of the site explained this was used to achieve CDN-like functionality:
https://news.ycombinator.com/item?id=27501867
1. Perhaps we should be clear that "servers" here means open resolvers. These servers are of course not authoritative for any name, and generally recursion is slower than iteration, i.e., use of authoritative servers only (fee free to challenge me on this and I will share a citation, although I know this is true from own experiments). Thus "reliable" is perhaps ambiguous. Not all of them always return the same results. Some will return different answers, and not always for "load balancing" reasons. Some may be missing data entirely. Some will return wrong answers, e.g., pretending to be authoritative. Much DNS funny business on the internet today. I gather results from a variety of resolvers, from authoritative servers as well as other sources of DNS data, e.g., public zone files, scans and crawls, and I compare notes; I personally would not feel comfortable using one open resolver (third party DNS) as the source for all DNS data; I could not rely on it. As such, "reliable" is IMHO a loaded term if used to describe open resolvers.
Unfrozen0688|2 years ago
From the makers of Windscribe VPN (Canadian)
I use the filter that blocks ads and malware 76.76.2.2 76.76.10.2
https://controld.com/free-dns
https://docs.controld.com/docs
fragmede|2 years ago
mhitza|2 years ago
anuraaga|2 years ago
beowa|2 years ago
NextDNS
jacooper|2 years ago
ChrisArchitect|2 years ago
quesera|2 years ago
Running your own DNS resolver is super easy. It probably has the highest ROI of any self-hosted service, because it is so easy and inexpensive to do.
I recommend Unbound: https://nlnetlabs.nl/projects/unbound
lantry|2 years ago
RockRobotRock|2 years ago
dintech|2 years ago
zozos|2 years ago
lopkeny12ko|2 years ago
SSLy|2 years ago
silverwind|2 years ago
AndyMcConachie|2 years ago
jshier|2 years ago
denysvitali|2 years ago
unknown|2 years ago
[deleted]
lucgagan|2 years ago
diggan|2 years ago
luuurker|2 years ago
T3OU-736|2 years ago
Found it the reverse chronological order (with timestamps being a smaller/lighter font, at least on mobile) to have caused extra thinking, which, for a status, seems undesireable.
I get wanting to expose the latest thing first, but the "top-posting" style seems intuitive. Perhaps, as a compromise, a status page would have a "Latest" block at the top, with the timestamp prominent, where the latest known status would be placed by whatever makes the updates, but the updates themselves are in the chronological order?