Cloudflare has decided not to support eDNS0 in its current form to protect the privacy of users. One company I am aware of has decided this is unacceptable and refuses to return an answer.
Unfortunately there is no polite way I can explain how you would know this is happening… You could follow their twitter feed where they have made it clear that’s what they are doing i suppose, but who would bother?
The sites now redirect to some really dodgy russian site (https://unitleaks.com/) when using Cloudflare (and only Cloudflare).
Also, archive.is is stating Cloudflare has never offered assistance to help with this. https://twitter.com/archiveis/status/1090261010353512451
At this point, I'm pretty fed up with both Cloudflare and archive.is Having the page redirect to some dodgy site, is really not okay, no matter who's "fault" it is.
184.108.40.206 is a more or less straightforward DNS service. It doesn’t (at this time) block malware or censor dodgy sites or engage in other modification.
(I’m mentally categorizing DNSSEC negative trust anchors and capitalization and EDNS workarounds somewhere off to the side.)
You’re asking Cloudflare to block archive.is, to replace the IP addresses provided by archive.is’s authoritative nameservers with different ones, or (until recently) apparently to set up a special Cloudflare CDN account for archive.is.
I’m not asking them to block anything, I’m just sick of the blame back and forth on this. Both sides are blaming each other, and neither seem to want to step forward and actually correct the issue. Like I said, archive.is is stating that Cloudflare hasn’t offered help, and will not help them correct the issue.
This works on every other resolver than Cloudflares. There is an obvious disconnect someplace, I don’t care where it is, what I do care about is the lack of resolution from both sides. Cloudflare is (apparently) refusing to work with them to get it working.
When 220.127.116.11’s resolvers ask archive.is’s nameservers a question, archive.is gives Cloudflare different IP addresses than it gives other resolvers.
Cloudflare’s simple options are to do nothing, sneak around it by forwarding the requests to another DNS service or using IP addresses archive.is isn’t yet blocking, or ask archive.is why they are doing it and if they can work something out.
archive.is’s simple options are to continue doing this, to reconfigure or fix their DNS servers to stop doing it, or to talk to Cloudflare, reach some sort of deal, and then go back to option 2.
I’m no expert on DNS, so take this with a grain of salt, but Cloudflare seems to be returning different Nameservers. As I understand it, the NS records are pulled from the registrar’s glue records and/or the root nameservers, so this makes me a little confused
dig NS archive.is @isgate.is
archive.is. 86400 IN NS carl.archive.is.
archive.is. 86400 IN NS anna.archive.is.
$ dig NS archive.is @18.104.22.168
archive.is. 7768 IN NS anna.ns.Cloudflare.com.
archive.is. 7768 IN NS ben.ns.Cloudflare.com.
Not saying CF is doing anything devious, but maybe it’s an issue with isnic’s root nameservers or the registrar. The registrar apparently did have an issue with the archive.is domain having an unauthorized transfer until that twitter account complained and got the attention of one of the registry operators, so I wouldn’t be surprised if the registrar is doing something.
NS records exist in both the parent and child zones.
Authoritative nameservers return different results for A, AAAA and CNAME records based on geo IP stuff all the time. Doing the same thing with NS records is unusual but just as easy (if your software is flexible enough).
TLDs could do the same thing, but it’s unheard of, as far as I know. It would be a headache. Their registry software probably doesn’t even support it, and their nameservers are probably using a half dozen different implementations run by a half dozen different organizations. Some of them might not support it and all of them would have to be configured separately.
Doing a dig with Google DNS, OpenDNS, Norton DNS, Commodo DNS and Quad 9 all resolve the same way, with the name servers of anna.archive.is and carl.archive.is. Same with literally every single DNS server listed here: https://public-dns.info/nameserver/nz.html (I picked NZ because that’s where I live)
It seems quite strange that literally every other DNS server I test, routes it properly with the exception of Cloudflare. This back and forth with everyone blaming everyone else is getting nowhere. But it’s quite telling that every other provider doesn’t seem to have this problem at all.
Yes, I'm absolutely sure they've singled out Cloudflare and then amendmently denied it because... reasons...
Out of all of the other thousands and thousands of DNS providers, they chose to mess up just Cloudflare.
Sorry not buying it one bit.
I've kept up with their tweets, and in fact tweeted them a few times. If you look at the top reply to what you linked, that's in answer to me in fact.
They have never said they are intentionally blocking Cloudflare, in fact, they have said the opposite, and have stated that Cloudflare refuses to work with them on it.