Cloudflare DNS

It doesn't.
blog.cloudflare.com/announcing-1111/

The reason they log at all is that it's part of the deal. They got control of 1.1.1.1 from APNIC under the condition that they perform research on the traffic it receives, with all kinds of precautions taken.

How would a client contact them?
DNS servers are contacted by their IP address, your computer / router contacts the DNS server via its IP and asks it which IP belongs to a given URL. This works because the DNS Server's ip is known and can be contacted directly. For every device / website / whatever to be it's own DNS Server, it would
a) have it's ip known to your machine (thus, every client would need a full lookup database)
b) constantly send broadcasts to every client. Aka, to all of the billions of devices connected to the Internet at any given time
Also, what would stop Ivan Hackowski from pretending his phishing site's IP was the one belonging to google.com or whatever? Which of the 572591 servers pretending to be eBay should a client connect to?

There's nothing positive about all this.

Interesting. Can you post links to verify this?

commonsense.org

Attached: sauce.gif (300x161, 162.79K)

labs.apnic.net/?p=1127

Google was built partly on a grant by the Massive Digital Data Systems Project, which was a cooperation between several security agencies, including the CIA. Google probably doesn't need any more grants nowadays, but they still cooperate with intelligence agencies. Don't know about Cloudfare.

archive.fo/OzLm8

can't you just use a site's IP address to bypass the need for a DNS server? how would one obtain a site's IP though?

Obtaining a site's IP address is easy - just send a request to your DNS server of choice.

I typed in the IP address for 8ch.net, and it just gave me a cloudflare error "Direct IP access not allowed"...

If it's behind Cloudflare you need to send the appropriate header to indicate which host name you want to visit, which you can do even without having looked up the IP address. Or you can use the real IP address, if you know it and if the server is set up right.
Here's a link to access Zig Forums directly:
206.223.147.214
Here's a way to fetch Zig Forums's frontpage via Cloudflare without using DNS:
$ curl -k -H 'Host: 8ch.net' 104.20.43.57/index.html
The -k flag disables the certificate check, because Zig Forums requires HTTPS but curl doesn't know which domain name to check against.
If you want to do it the boring practical way you can add the IP address to your hosts file as 8ch.net so you can just use 8ch.net as normal without executing DNS queries.

what said it's too obvious
This is a copy pasta but it resumes the situation correctly:

-cloudflare makes it extremely difficult for Tor users and users who disable javascript. This difficulty was originally just a simple CAPTCHA, that progressed into impossible CAPTCHAs (CAPTCHAs that would reject all answers), and finally outright blocks in the case of archive.is; this effectively bans the most security and privacy-conscious users from your site.

-cloudflare arbitrarily bans whoever they want. Today, it is Tor users who disable javascript. Tomorrow, it could be all Firefox users, Linux users, VPN users, Brazillians, Germans, Snowden supporters, filesharers, anons, children, women, homosexuals, Christians. The exact criteria doesn't matter, because it is completely at the whim of cloudflare.

-cloudflare completely breaks SSL

Standard SSL handshake
User -> website's key -> website
User cloudflare's key -> cloudflare -> website's key -> website
User

Who gives a shit? If you are putting any form of trust into DNS you're a retard. Cuckflare is fucking cancer and the worst thing to happen to the internet in the last decade. Now when we just want to read a paragraph of text extracted from some faggot clickbait site, we have to configure our scraper in all kinds of special snowflake ways to not trigger cuckflare to block us from the site. Why do these retarded faggots have to be mentioned so many times in this board?
"not logging data" has been a standard bullet point to put on your marketing list for 10 years now. The problem is retards like you making a thread because you read this bullet point in some small text somewhere.

Which proves how fucking retarded cuckflare is. They think (or pretend) that there is some sort of security gain from not routing you to some site by default when you provide no Host header. IIRC (I'm not a web shotter so don't quote me on this) for a site with one IP and one hostname, HTTP 1.0 will just route you to the single site, while HTTP 1.1 and newer require a Host header because the spec says so. There may be some subtle implications (in the vein of CSRF) in not routing somewhere without an explicit Host header, but then the error message "no direct IP access allowed" would still be absurd and indicate that the developers are retarded. Normal HTTP 1.1 + websites will just give you a standard 403 error or something similar.

opennic is great in theory but what verification does opennic do on their servers. anyone can add shit on there and just lie about logs. still probably use opennic over cloudflare.

ISP can see it anyway unless your using encrypted dns.

apache is fully capable of routing without host in the header, in fact its the default behavior. unless you explicitly play games it'll route to the first configuration file, or first site if it's one big file, by default if no host is specified.

of course (((they))) would love nothing more than to release a spec saying a domain name is required for http and have the browser reject requests by default to straight ip addresses, buy our domains goy, and remember your site better be kosher or we're shutting it down.

there's some common configuration people use where you need to send the Host header or it gives 403, unless you use HTTP 1.0. maybe apache, maybe nginx, maybe some way apache is configured with a certain package, etc. tons of sites do this.

I truly believe cloudflare is part of the global plan to truly control the internet. I mean, even their SSL is fake, since they MITM it (and the browser won't tell you about it).

Marginally faster, they must've stopped allowing ping requests to 1.1.1.1 because I was getting 24ms to 1.1.1.1 and 54ms for 8.8.8.8 but can't ping Cloudflare DNS anymore.

Tbh, it's better than using Google or your ISPs DNS.

Attached: Screenshot_2018-04-07_1.png (761x699 73.38 KB, 72.19K)

hello chaim

I get 42.632ms to 8.8.8.8 and 42.724ms for 1.1.1.1.
To the nonbotnet dnscrypt resolver I use, I get 47.429ms.

8.8.8.8 is still coming up as slightly faster for me.

Attached: Screenshot_20180407-114805_Terminal Emulator.jpg (1080x2220, 615.63K)

SSL is fake to begin with preiod.

Run BIND on your machine and set DNS to 127.0.0.1

The name -> IP mappings come from nameservers that are queries by resolvers. Run your own resolver.

It's really simple - if you don't send a Host header, Cloudflare doesn't know which website you want. The same IP address handles multiple sites.

>It's ok. trust these guys they're (((professionals)))

No. Regardless of your opinion of sites like stormfront the fact they kick you off their platform at all is reason enough not to trust them. The fact they start talking about security and privacy now that normies suddenly care about it, despite it being 6 YEARS after the snowden leaks, means it's just an attempt to bandwagon.

So you think every time your favorite image board or game site gets DDOSd its because of the nsa / cloudflare? I'm going to go ahead and guess its not the NSA, but random fucks taking advantage of the thousands of open memcached servers that have a 50 thousand X amplification.

Attached: 1452462180399.jpg (640x718, 70.01K)

So, what's a reasonable way of making website ddos-proof?
Setting up your own constellation of gateways? Cloudflare is cheaper and easier.

There is no way you can do it. With this memcached ddos for example getting hundreds of gigabits per second is trivial. You simply have to have enough bandwidth to deal with it. There is no amount of software filtering that can deal with your pipe being filled.

Demonstrably untrue.

Yeah he must have missed the years of blog posts documenting the slow roll out.

You don't know what you've got until it's gone. Or in this case, you don't know what you've got, until it's got you.

...

I was backing up your point.

I thought you were implying that this was a sequence of secret CIA / NSA investment

That would be completely inane.

>206.223.147.214
How the fuck did you get that

I trust CF less than I trust the CIA to anally probe me.

turn it off and on again

It was leaked once and people just remembered it. Some guy on >>>Zig Forums used to links to their threads this way.

I think it may have been leaked originally, but they later pointed straw-berry.net at it, so it's not secret.

cloudflare has been instrumental in breaking the internet. Along with javashit, the destruction of www is nearly complete. Time to move on to more fundamental protocols and technology I see.

And you are going to personally dedicate all your time to writing new unprofitable protocols that are only good for piracy?

A MitM service that breaks SSL's purpose, managed by the people who brought you Project Honey Pot.
What do you think?

You know every VPS provider has access to your private keys when you run a server right? You know that when you use a colo datacenter with your own servers that the staff can get your keys right? You know that your authoritative DNS provider can negotiate a new key without your permission? None of this SSL shit is unique to cloudflare.

They don't just have theoretical access to your private key, they constantly use it. They need to, because caching content is hard if you can't look inside the HTTP stream to see what's being requested.

And this is a good thing

Sure, but one chooses to use a VPN, and datacenter staff interference is not as practically relevant as what Cloudflare's doing, basically a reverse VPN for a good chunk of all smaller sites people enter information on.
It's not the only way to achieve this by a long shot, but it's a very straightforward way for law enforcement to monitor 'extremist' sites like this one withour explicit cooperation by Philippino pig farmers.
Just DDoS a target and force them to turn to a handful of powerful anti-DDoS services and you have very efficient way to monitor all their users and posts.

It would be a smart thing for the NSA to sponsor, and both the free subscription and this new 1.1.1.1 address must cost a fortune.

This is explained easily. Its not unlimited. They say it is, and then will cite "layer 7 attacks" and kick you off while they shill the business tier to you. The larger customers pay more than enough to cover this.

They already run a DNS infrastructure. Its not like they added thousands of extra servers for this. They just add one more service to their current deployments.

Look these DDoS attacks are real. Its not the fucking NSA attacking rando sites they don't like. Right now you can go download trivial scripts to do memcached attacks.

Can you expand on that?

Do you mean the issues with certificate authorities?

Seeing cloudflare blocks some content, I'm not sure I trust them to not use nxdomain or just meddle with unwanted requests.

This is what worries me. If you didnt want to use cloudflare to proxy your site, now you're stuck where anyone using their DNS could be proxied without you even knowing.

You all should be timing the queries not the pings to the servers.

We know both G and CF have a large anycast network. Seeing CF already handles a lot of DNS, making a public NS only reduces the amplification attacks they get from other NS.

$ dig ebay.com @8.8.8.8 +trace

; DiG 9.8.3-P1 ebay.com @8.8.8.8 +trace
;; global options: +cmd
. 257205 IN NS a.root-servers.net.
. 257205 IN NS b.root-servers.net.
. 257205 IN NS c.root-servers.net.
. 257205 IN NS d.root-servers.net.
. 257205 IN NS e.root-servers.net.
. 257205 IN NS f.root-servers.net.
. 257205 IN NS g.root-servers.net.
. 257205 IN NS h.root-servers.net.
. 257205 IN NS i.root-servers.net.
. 257205 IN NS j.root-servers.net.
. 257205 IN NS k.root-servers.net.
. 257205 IN NS l.root-servers.net.
. 257205 IN NS m.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 2078 ms

com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
;; Received 486 bytes from 198.41.0.4#53(198.41.0.4) in 2103 ms

ebay.com. 172800 IN NS a1.verisigndns.com.
ebay.com. 172800 IN NS a2.verisigndns.com.
ebay.com. 172800 IN NS a3.verisigndns.com.
ebay.com. 172800 IN NS ns1.p47.dynect.net.
ebay.com. 172800 IN NS ns2.p47.dynect.net.
ebay.com. 172800 IN NS ns3.p47.dynect.net.
ebay.com. 172800 IN NS ns4.p47.dynect.net.
;; Received 371 bytes from 192.31.80.30#53(192.31.80.30) in 1135 ms

ebay.com. 3600 IN A 66.211.162.12
ebay.com. 3600 IN A 66.211.185.25
ebay.com. 3600 IN A 66.135.216.190
ebay.com. 3600 IN A 66.211.181.123
ebay.com. 3600 IN A 66.211.160.86
ebay.com. 3600 IN A 66.135.209.52
ebay.com. 172800 IN NS ns2.p47.dynect.net.
ebay.com. 172800 IN NS ns3.p47.dynect.net.
ebay.com. 172800 IN NS a3.verisigndns.com.
ebay.com. 172800 IN NS ns4.p47.dynect.net.
ebay.com. 172800 IN NS ns1.p47.dynect.net.
ebay.com. 172800 IN NS a1.verisigndns.com.
ebay.com. 172800 IN NS a2.verisigndns.com.
;; Received 271 bytes from 204.13.250.47#53(204.13.250.47) in 27 ms

$ dig yahoo.com @1.1.1.1 +trace
; DiG 9.8.3-P1 yahoo.com @1.1.1.1 +trace
;; global options: +cmd
. 153 IN NS a.root-servers.net.
. 153 IN NS b.root-servers.net.
. 153 IN NS c.root-servers.net.
. 153 IN NS d.root-servers.net.
. 153 IN NS e.root-servers.net.
. 153 IN NS f.root-servers.net.
. 153 IN NS g.root-servers.net.
. 153 IN NS h.root-servers.net.
. 153 IN NS i.root-servers.net.
. 153 IN NS j.root-servers.net.
. 153 IN NS k.root-servers.net.
. 153 IN NS l.root-servers.net.
. 153 IN NS m.root-servers.net.
;; Received 420 bytes from 1.1.1.1#53(1.1.1.1) in 32 ms

com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
;; Received 487 bytes from 199.9.14.201#53(199.9.14.201) in 104 ms

yahoo.com. 172800 IN NS ns1.yahoo.com.
yahoo.com. 172800 IN NS ns5.yahoo.com.
yahoo.com. 172800 IN NS ns2.yahoo.com.
yahoo.com. 172800 IN NS ns3.yahoo.com.
yahoo.com. 172800 IN NS ns4.yahoo.com.
;; Received 281 bytes from 192.42.93.30#53(192.42.93.30) in 843 ms

yahoo.com. 1800 IN A 72.30.35.9
yahoo.com. 1800 IN A 72.30.35.10
yahoo.com. 1800 IN A 98.137.246.7
yahoo.com. 1800 IN A 98.137.246.8
yahoo.com. 1800 IN A 98.138.219.231
yahoo.com. 1800 IN A 98.138.219.232
yahoo.com. 172800 IN NS ns4.yahoo.com.
yahoo.com. 172800 IN NS ns2.yahoo.com.
yahoo.com. 172800 IN NS ns3.yahoo.com.
yahoo.com. 172800 IN NS ns5.yahoo.com.
yahoo.com. 172800 IN NS ns1.yahoo.com.
;; Received 377 bytes from 68.142.255.16#53(68.142.255.16) in 18 ms

This is why I wished people would be less greedy and use crypto to replace antiquated services like dns, ssl certs, and even arin authorities.

And how exactly are you going to verify that the cryptographic key you are using is actually owned by the site you are using? You are either going to say fuck it and get MITMd, or you are going to go to a repository you trust to tell you if its the real key or not. AKA a certificate authority.

Right now you're claiming that crypto is secure enough for banking but not for browsing?

Who's your authority for ssl certs and whois queries? Google or some other "trusted" authority?

What, where the fuck did I say that?

Yes. And if I want to I can replace them as certificate authorities. Any alternative is just going to be different authorities.

You can get MITM'd anyway if someone clones a website and poisons your DNS they send you to their non ssl site that looks identical even down to the domain name. the only practical way to mitigate this attack would be to block all non SSL traffic.

...

i would guess DNS SECurity?
seems like noone has it though because shit works like 100% of the time for me

Attached: 6a52e24b8d90a636fc1ca5c34ff9f654646fc21cbc5876cb0539fc64f9afbff9.jpg (960x720, 131.19K)

What is so hard to get here?

classic protection racket like the JDL

Look you idiots its only a protection racket if the threat is not real. The concept of protection is not itself the racket.

Sure, why wouldn't you trust them? They promised.

are you me? I was about to make that exact comment

and indeed, having a service under "we promise" is a red flag

Are you suggesting that Cloudflare runs botnets to massively DDoS websites in order to get them to sign up for Cloudflare DDoS protection? That's a spurious claim.

-- Posted from my Cloudflare-trafficked Zig Forums account

found the web shotter

Yes, encryption requires you to have the key for the person you want to talk to. You can ask some guy who claims to be trustworthy for they key instead, but that's just retarded. Even namecoin is better than X.509.

Yes, so they should give a 403 or whatever standard error instead of "le access denied XDDD".

look you fucking mongloids, cuckflare has nothing to do with DDoS mitigation. it's a ((("web security"))) provider and CDN. it literally only mitigates DDoS because it has to in order to implement a reverse proxy (required to implement things like anti scraping etc, for example if you're not on a good goy IP the following text will be blocked out because 8ch uses cuckflare: [email protected] ). saying you need cuckflare to mitigate DDoS is like saying you need Myspace or VK to chat on the internet

[email protected]

sheeit it isn't happening now

yes

lol

Cloudflare will give you the IP address of the origin server if you submit a DMCA request, so the requester can contact the origin host if they wish. Post some OC, assert copyright violation and DMCA it and you have the source IP. Or you could just fake it...

The MitM stuff is dreadful, but really it is the fault of browser makers and certificate issuers for not rejecting Cloudflare certs for this.

Also it is not a wholly valid criticism. If you are on a pro (~$20 a month) or above plan you can do end to end HTTPS using you own cert, without them MitMing you traffic. They still proxy your static content on the edge using their own cert though, so that is insecure.

Cloudflare will also threaten customers who use "too much" bandwidth and try to force them onto their ludicrously expensive enterprise plans, they run cheaper plans through garbage tier networks into PoPs in far away cheaper locations, etc. Terrible company.

...

Enjoy getting your site shut down by some skid

Preferable to it being shut down by Cloudflare for wrongthink or blackmail upselling.

Hummm lets see what are the odds. Well one website was taken down for the wrongthink reason. And uhhhh tens of thousands taken down by skids.

If you're talking odds, the odds of them tracking all your users and selling the data on is 100%.

How else do they give me the analytics dashboard that I want? They sure as fuck can't afford to store it all forever.

That's a big claim. Do you have literally any evidence?

Those skids are working for cloudflare tbh. ;^)

It's literally all over their ToS and privacy policies.

"You acknowledge that Cloudflare may use this data to improve its service or enable other services"

"Cloudflare may aggregate data we acquire about our users and the visitors to their websites. [...] If we assemble this sort of data and provide it to external parties, [...] Please note, data that our users provide to us, such as log files of their sites’ visitors, may be included in the aggregate data, reports, and statistics."

Are they just giving this info away? I think not.

AKA the reports they do about TLS usage and bullshit like that.

nice selective edit

What cloudflare certs? I didn't install any of those, and I use only Lynx or Links to post here.
My guess is the site owners gave their ssl certs to cloudflare who installed it on all their proxies.

Cloudflare is not a certificate authority. Op just seems to think they are. All the "cloudflare certs" are Comodo.