I didn't believe they'd do something like this, so I went to check and prove you wrong, but sure enough, it doesn't resolve. According to this post on CloudFare's support site, it's not their fault: https://community.cloudflare.com/t/archive-is-error-1001/182....
> This is unfortunately something we can’t do something about. Nameservers responsible for archive.is (ben.archive.is, anna.archive.is) are returning answers tailored to the IP address of the requestor.
But compare that answer, to the continued technical breakdowns given by CloudFlare as they tried to work out why archive.is is returning an inaccessible IP based an request IP.
CloudFlare attempted to determine why there was a problem, archive.is shrugged it off.
I did the same research because I too found it hard to believe and it's still not clear to me how the problem is not on cloudflare. They claim the upstream is misconfigured, but how then does every single other DNS provider manage to handle it correctly?
Or are they claiming archive.is is explicitly blacklisting the cloudflare IP range? If that is the case it seems odd they are claiming the upstream is misconfigured as opposed to explicitly blocking them. Something does not add up correctly.
Sometimes 1.1.1.1 is used as a testing value, and can get blocked for reasons. CloudFlare is getting a huge amount of spam IP traffic to 1.1.1.1 from misconfigured equipment, it wouldn't be too surprising if some upstreams have firewalled valid IPs.
When cloudflare resolves addresses, the DNS request is not coming from 1.1.1.1, it's coming from the IP address of the server actually making the request. You can confirm this by looking at the results of a VPN DNS leak test [0] and seeing the IPs being used to resolve the addresses do come from cloudflare, but are not 1.1.1.1
> how then does every single other DNS provider manage to handle it correctly?
They do not handle it at all. Remember that the responses are tailored to the IP address of the client, i.e. Cloudflare's back end. It is not Cloudflare that is doing that tailoring. So the question that you should be asking is how come archive.is did that tailoring for (as you claim at any rate, although I suspect that no-one has exhaustively tested this before claiming it) every single other DNS provider and not Cloudflare.
Indeed, if you read what you replied to, you'll find that it's the inverse of that situation. archive.is answers are explicitly tailored by archive.is for whenever it is, specifically, Cloudflare asking. So the question that you should be asking is how come archive.is is saying that it is on a Cloudflare-hosted CDN ("cdn-wo-ecs.archive.is", mapped to Cloudflare hosting IP addresses), but only saying that when it is Cloudflare asking.
Once you ask that latter question, you'll get to the meat of the issue, which is that archive.is demands that Cloudflare et al. pass on (most of) your IP address to them, and returns fake name-to-address mappings for Cloudflare and indeed anyone else who says that (for privacy or otherwise) they are not going to pass on that kind of ultimate client identifying information to archive.is nor to anyone else.
(It's archive.is tailoring its response where there is no EDNS0 client subnet, a.k.a. ECS, information, for the technical. That's what the "wo-ecs" means.)
I'm guessing archive.is has misidentified DNS requests from 1.1.1.1 as a DDoS, so is resolving them to the requester's own IP address in an attempt to get them to DDoS themselves.
"returning answers tailored to the IP address of the requestor" is normal and correct behavior for most large websites, the problem is that one of those IP addresses is wrong. Specifically, when the requester is CloudFlare, archive.is is returning a CloudFlare internal IP address instead of their own. I'm guessing where they got that IP address is that it's the requester, and where they got mixed up is that virtually all high-volume DNS requesters that appear overnight are DDoS attacks.
I didn't believe they'd do something like this, so I went to check and prove you wrong, but sure enough, it doesn't resolve. According to this post on CloudFare's support site, it's not their fault: https://community.cloudflare.com/t/archive-is-error-1001/182....
> This is unfortunately something we can’t do something about. Nameservers responsible for archive.is (ben.archive.is, anna.archive.is) are returning answers tailored to the IP address of the requestor.
And archive.is blames CloudFlare:
> it is because of 1.1.1.1
> try 8.8.8.8
But compare that answer, to the continued technical breakdowns given by CloudFlare as they tried to work out why archive.is is returning an inaccessible IP based an request IP.
CloudFlare attempted to determine why there was a problem, archive.is shrugged it off.
I did the same research because I too found it hard to believe and it's still not clear to me how the problem is not on cloudflare. They claim the upstream is misconfigured, but how then does every single other DNS provider manage to handle it correctly?
Or are they claiming archive.is is explicitly blacklisting the cloudflare IP range? If that is the case it seems odd they are claiming the upstream is misconfigured as opposed to explicitly blocking them. Something does not add up correctly.
Sometimes 1.1.1.1 is used as a testing value, and can get blocked for reasons. CloudFlare is getting a huge amount of spam IP traffic to 1.1.1.1 from misconfigured equipment, it wouldn't be too surprising if some upstreams have firewalled valid IPs.
When cloudflare resolves addresses, the DNS request is not coming from 1.1.1.1, it's coming from the IP address of the server actually making the request. You can confirm this by looking at the results of a VPN DNS leak test [0] and seeing the IPs being used to resolve the addresses do come from cloudflare, but are not 1.1.1.1
[0]: https://www.dnsleaktest.com/
> how then does every single other DNS provider manage to handle it correctly?
They do not handle it at all. Remember that the responses are tailored to the IP address of the client, i.e. Cloudflare's back end. It is not Cloudflare that is doing that tailoring. So the question that you should be asking is how come archive.is did that tailoring for (as you claim at any rate, although I suspect that no-one has exhaustively tested this before claiming it) every single other DNS provider and not Cloudflare.
Indeed, if you read what you replied to, you'll find that it's the inverse of that situation. archive.is answers are explicitly tailored by archive.is for whenever it is, specifically, Cloudflare asking. So the question that you should be asking is how come archive.is is saying that it is on a Cloudflare-hosted CDN ("cdn-wo-ecs.archive.is", mapped to Cloudflare hosting IP addresses), but only saying that when it is Cloudflare asking.
Once you ask that latter question, you'll get to the meat of the issue, which is that archive.is demands that Cloudflare et al. pass on (most of) your IP address to them, and returns fake name-to-address mappings for Cloudflare and indeed anyone else who says that (for privacy or otherwise) they are not going to pass on that kind of ultimate client identifying information to archive.is nor to anyone else.
(It's archive.is tailoring its response where there is no EDNS0 client subnet, a.k.a. ECS, information, for the technical. That's what the "wo-ecs" means.)
I'm guessing archive.is has misidentified DNS requests from 1.1.1.1 as a DDoS, so is resolving them to the requester's own IP address in an attempt to get them to DDoS themselves.
"returning answers tailored to the IP address of the requestor" is normal and correct behavior for most large websites, the problem is that one of those IP addresses is wrong. Specifically, when the requester is CloudFlare, archive.is is returning a CloudFlare internal IP address instead of their own. I'm guessing where they got that IP address is that it's the requester, and where they got mixed up is that virtually all high-volume DNS requesters that appear overnight are DDoS attacks.
Oh, amazing. Thanks, I thought the site was down.
Why?