1.1.1.1 does not resolve archive.is

Hello,

1.1.1.1 returns SERVFAIL for archive.is, Google 8.8.8.8 is fine. The DNSViz report (just analyzed today) does show problems. All information from the troubleshooting post is below.

 $ dig archive.is @8.8.8.8

; <<>> DiG 9.8.3-P1 <<>> archive.is @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4695
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;archive.is.                    IN      A

;; ANSWER SECTION:
archive.is.             299     IN      A       46.17.42.43

;; Query time: 127 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Aug  9 13:06:40 2018
;; MSG SIZE  rcvd: 44

 $ dig archive.is @1.1.1.1

; <<>> DiG 9.8.3-P1 <<>> archive.is @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41948
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;archive.is.                    IN      A

;; Query time: 2560 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Aug  9 13:06:48 2018
;; MSG SIZE  rcvd: 28

 $ dig archive.is @1.0.0.1

; <<>> DiG 9.8.3-P1 <<>> archive.is @1.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14050
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;archive.is.                    IN      A

;; Query time: 203 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; WHEN: Thu Aug  9 13:06:59 2018
;; MSG SIZE  rcvd: 28

 $ dig +short CHAOS TXT id.server @1.1.1.1
"YYZ"
 $ dig +short CHAOS TXT id.server @1.0.0.1
"YYZ"

http://dnsviz.net/d/archive.is/W2x2lg/dnssec/

Archive.is has chosen not to publish their IP addresses to Cloudflare DNS resolvers. You’ll need to take up the issue with them.

Thanks for the reply, I will inquire with them.

I haven’t seen this before. Other than guessing based on the SERVFAIL, how would I know this is what’s happening?

Regards

Cloudflare has decided not to support eDNS0 in its current form to protect the privacy of users. One company I am aware of has decided this is unacceptable and refuses to return an answer.

Unfortunately there is no polite way I can explain how you would know this is happening… You could follow their twitter feed where they have made it clear that’s what they are doing i suppose, but who would bother?

That’s helpful enough, appreciated. Sorry for the noise, I was unaware of this until today.

I see this has also been explained already elsewhere, but searching didn’t turn it up. I’ll drop a link here in case others have trouble with archive.is as well (seems common enough).

(I was unable to edit my last reply to amend with this…)

1 Like

No worries… until recently I was hopeful they’d simply correct the IP address they were advertising. Turns out they don’t want to do that.

The sites now redirect to some really dodgy russian site (https://unitleaks.com/) when using Cloudflare (and only Cloudflare). 

Also, archive.is is stating Cloudflare has never offered assistance to help with this. https://twitter.com/archiveis/status/1090261010353512451

At this point, I'm pretty fed up with both Cloudflare and archive.is  Having the page redirect to some dodgy site, is really not okay, no matter who's "fault" it is.

Boy I was so wrong on so many levels with this. It’s entirely on archive.is and their refusal to work with Cloudflare. https://twitter.com/archiveis/status/1018691421182791680

1 Like

1.1.1.1 is a more or less straightforward DNS service. It doesn’t (at this time) block malware or censor dodgy sites or engage in other modification.

(I’m mentally categorizing DNSSEC negative trust anchors and capitalization and EDNS workarounds somewhere off to the side.)

You’re asking Cloudflare to block archive.is, to replace the IP addresses provided by archive.is’s authoritative nameservers with different ones, or (until recently) apparently to set up a special Cloudflare CDN account for archive.is.

I’m not asking them to block anything, I’m just sick of the blame back and forth on this. Both sides are blaming each other, and neither seem to want to step forward and actually correct the issue. Like I said, archive.is is stating that Cloudflare hasn’t offered help, and will not help them correct the issue.

This works on every other resolver than Cloudflares. There is an obvious disconnect someplace, I don’t care where it is, what I do care about is the lack of resolution from both sides. Cloudflare is (apparently) refusing to work with them to get it working.

When 1.1.1.1’s resolvers ask archive.is’s nameservers a question, archive.is gives Cloudflare different IP addresses than it gives other resolvers.

Cloudflare’s simple options are to do nothing, sneak around it by forwarding the requests to another DNS service or using IP addresses archive.is isn’t yet blocking, or ask archive.is why they are doing it and if they can work something out.

archive.is’s simple options are to continue doing this, to reconfigure or fix their DNS servers to stop doing it, or to talk to Cloudflare, reach some sort of deal, and then go back to option 2.

I’m no expert on DNS, so take this with a grain of salt, but Cloudflare seems to be returning different Nameservers. As I understand it, the NS records are pulled from the registrar’s glue records and/or the root nameservers, so this makes me a little confused :confused:

dig NS archive.is @isgate.is
archive.is.             86400   IN      NS      carl.archive.is.
archive.is.             86400   IN      NS      anna.archive.is.
$ dig NS archive.is @1.1.1.1
archive.is.             7768    IN      NS      anna.ns.Cloudflare.com.
archive.is.             7768    IN      NS      ben.ns.Cloudflare.com.

Not saying CF is doing anything devious, but maybe it’s an issue with isnic’s root nameservers or the registrar. The registrar apparently did have an issue with the archive.is domain having an unauthorized transfer until that twitter account complained and got the attention of one of the registry operators, so I wouldn’t be surprised if the registrar is doing something.

Interesting.

NS records exist in both the parent and child zones.

Authoritative nameservers return different results for A, AAAA and CNAME records based on geo IP stuff all the time. Doing the same thing with NS records is unusual but just as easy (if your software is flexible enough).

TLDs could do the same thing, but it’s unheard of, as far as I know. It would be a headache. Their registry software probably doesn’t even support it, and their nameservers are probably using a half dozen different implementations run by a half dozen different organizations. Some of them might not support it and all of them would have to be configured separately.

Doing a dig with Google DNS, OpenDNS, Norton DNS, Commodo DNS and Quad 9 all resolve the same way, with the name servers of anna.archive.is and carl.archive.is. Same with literally every single DNS server listed here: https://public-dns.info/nameserver/nz.html (I picked NZ because that’s where I live)

Yet when run through 1.1.1.1 it resolves to ben.ns.Cloudflare.com and anna.ns.Cloudflare.com

It seems quite strange that literally every other DNS server I test, routes it properly with the exception of Cloudflare. This back and forth with everyone blaming everyone else is getting nowhere. But it’s quite telling that every other provider doesn’t seem to have this problem at all.

It says that archive.is chose to distinguish between Cloudflare and every other DNS service you tried.

Edit: Probably. :smiley:

Yes, I'm absolutely sure they've singled out Cloudflare and then amendmently denied it because... reasons... 
Out of all of the other thousands and thousands of DNS providers, they chose to mess up just Cloudflare. 

Sorry not buying it one bit.

Again, I was so wrong. Sorry.

1 Like

Their tweets apparently explain why they’ve chosen to do it.

https://twitter.com/archiveis/with_replies

Edit: Better link.

I've kept up with their tweets, and in fact tweeted them a few times. If you look at the top reply to what you linked, that's in answer to me in fact. 

They have never said they are intentionally blocking Cloudflare, in fact, they have said the opposite, and have stated that Cloudflare refuses to work with them on it.

Twitter is fairly confusing for these types of threads. Here’s the thread where the operator intentionally takes a stance:

image of tweet

See https://news.ycombinator.com/item?id=19828702 for a comment from Cloudflare’s CEO on this issue.

. The funny thing is - the resolver (should) does support EDNS. They just choose to break Cloudflare - https://ednscomp.isc.org/ednscomp/9fbbe6057e

1.1.1.1 supports EDNS. 1.1.1.1 doesn’t support EDNS Client Subnet (ECS) which people sometimes call EDNS.

1 Like