Tell HN: Unexpected errors with Archive.is on Cloudflare 1.1.1.1 DNS

19 points by obi1kenobi 5 years ago

Set 1.1.1.1 as your primary DNS resolver. Then, try to visit this link: https://archive.md/FyTDB

You should get a certificate warning, and if you choose to proceed anyway, you'll get a Cloudflare-originated 403 Forbidden page.

Now set 8.8.8.8 as your DNS and reload the page, and you'll see it open normally. No broken cert, no 403 status code, just a working website.

I found this very unexpected. Am I missing something obvious, or am I not the only one surprised to see this?

obi1kenobi 5 years ago

Downgrading to HTTP and removing the path (so just http://archive.md/ ), I get the following:

""" Error 1001 Ray ID: 599a073ddbc3ae0c • 2020-05-26 19:50:59 UTC DNS resolution error What happened? You've requested a page on a website (archive.md) that is on the Cloudflare network. Cloudflare is currently unable to resolve your requested domain (archive.md). There are two potential causes of this:

Most likely: if the owner just signed up for Cloudflare it can take a few minutes for the website's information to be distributed to our global network. Less likely: something is wrong with this site's configuration. Usually this happens when accounts have been signed up with a partner organization (e.g., a hosting provider) and the provider's DNS fails. Cloudflare Ray ID: 599a073ddbc3ae0c • Your IP: ... • Performance & security by Cloudflare """

This raises more questions:

  - Why doesn't Cloudflare just return NXDOMAIN if it thinks the domain doesn't exist, rather than resolving to a bogus server?

  - Why doesn't it just drop and time out the request, so my computer decides to fall back to an alternate DNS resolver?

  - Why doesn't it show that error text when a path is present, instead of just serving a HTTP 403 Forbidden error with no additional information.
  • 1f60c 5 years ago

    This seems like a bug on Cloudflare's end, to be honest. Archive.md is free to return bogus responses, but that shouldn't break Cloudflare.

    • stedaniels 5 years ago

      That's not how the Internet works at all, archive.md is returning valid IP addresses, they are just the _wrong_ ones. They are actually returning Cloudflare's own DNS IP's. So all this is entirely correct from Cloudflare's point of view. archive.md just needs to quit being so stubborn.

  • snek 5 years ago

    archive.is returns A records 1.1.1.1 and 1.0.0.1 (cloudflare ips) back when you query them using cf dns. This means that your browser sends a request to 1.1.1.1 with the host header set to "archive.md". cloudflare's proxy tries to find the relevant config for archive.md, and not hosting it, tells you it doesn't host that page. it also helpfully informs you that if you just added your site to cloudflare, it might take a minute for it to show up.

dhimes 5 years ago

Could some kind soul please post the ip of archive.md? I can't reset right now. Thanks.

  • 1f60c 5 years ago

    Assuming you're looking for the WSJ article "Facebook executives shut down efforts to make the site less divisive", give this a try:

      curl -H "Host: archive.md" http://188.143.233.210/FyTDB > index.html

    (You can get archive.md's IP using:

      dig archive.md @8.8.8.8

    This should work on practically any Linux box.)

    • dhimes 5 years ago

      wow thanks! Edit: I must say I'm confused as to why changing my hosts file didn't work on Win 10.