Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: Unexpected errors with Archive.is on Cloudflare 1.1.1.1 DNS
19 points by obi1kenobi on May 26, 2020 | hide | past | favorite | 10 comments
Set 1.1.1.1 as your primary DNS resolver. Then, try to visit this link: https://archive.md/FyTDB

You should get a certificate warning, and if you choose to proceed anyway, you'll get a Cloudflare-originated 403 Forbidden page.

Now set 8.8.8.8 as your DNS and reload the page, and you'll see it open normally. No broken cert, no 403 status code, just a working website.

I found this very unexpected. Am I missing something obvious, or am I not the only one surprised to see this?




Its the other way around, see this post by Cloudflare CEO Matthew Prince https://news.ycombinator.com/item?id=19828702


Thanks, that makes sense. Updated the post title to something I felt was more accurate given the situation.


Cloudflare is not MITM-ing, Archive is deliberately misleading Cloudflare.

See previous discussion at https://news.ycombinator.com/item?id=19828317 .


Downgrading to HTTP and removing the path (so just http://archive.md/ ), I get the following:

""" Error 1001 Ray ID: 599a073ddbc3ae0c • 2020-05-26 19:50:59 UTC DNS resolution error What happened? You've requested a page on a website (archive.md) that is on the Cloudflare network. Cloudflare is currently unable to resolve your requested domain (archive.md). There are two potential causes of this:

Most likely: if the owner just signed up for Cloudflare it can take a few minutes for the website's information to be distributed to our global network. Less likely: something is wrong with this site's configuration. Usually this happens when accounts have been signed up with a partner organization (e.g., a hosting provider) and the provider's DNS fails. Cloudflare Ray ID: 599a073ddbc3ae0c • Your IP: ... • Performance & security by Cloudflare """

This raises more questions:

  - Why doesn't Cloudflare just return NXDOMAIN if it thinks the domain doesn't exist, rather than resolving to a bogus server?

  - Why doesn't it just drop and time out the request, so my computer decides to fall back to an alternate DNS resolver?

  - Why doesn't it show that error text when a path is present, instead of just serving a HTTP 403 Forbidden error with no additional information.


archive.is returns A records 1.1.1.1 and 1.0.0.1 (cloudflare ips) back when you query them using cf dns. This means that your browser sends a request to 1.1.1.1 with the host header set to "archive.md". cloudflare's proxy tries to find the relevant config for archive.md, and not hosting it, tells you it doesn't host that page. it also helpfully informs you that if you just added your site to cloudflare, it might take a minute for it to show up.


This seems like a bug on Cloudflare's end, to be honest. Archive.md is free to return bogus responses, but that shouldn't break Cloudflare.


That's not how the Internet works at all, archive.md is returning valid IP addresses, they are just the _wrong_ ones. They are actually returning Cloudflare's own DNS IP's. So all this is entirely correct from Cloudflare's point of view. archive.md just needs to quit being so stubborn.


Could some kind soul please post the ip of archive.md? I can't reset right now. Thanks.


Assuming you're looking for the WSJ article "Facebook executives shut down efforts to make the site less divisive", give this a try:

  curl -H "Host: archive.md" http://188.143.233.210/FyTDB > index.html
(You can get archive.md's IP using:

  dig archive.md @8.8.8.8
This should work on practically any Linux box.)


wow thanks! Edit: I must say I'm confused as to why changing my hosts file didn't work on Win 10.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: