I think there are two angles to look at this. Yes, there’s the attack on the weblog. But there’s also pressure on archive.today, e.g. an FBI investigation [1] and some entity using fictitious CSAM allegations [2].
Jani Patokallio who runs gyrovague.com published a blog post attempting to dox the owner of archive.today.
Jani justifies his doxing as follows "I found it curious that we know so little about this widely-used service, so I dug into it" [1]
Archive.today on the other hand is a charitable archival project offered to the public for free. The operator of Archive.today risks significant legal liability, but still offers this service for free.
It's weird to see people getting fixated on the DDoS, which is obviously far less nasty than actually attempting to dox someone. The only credible reason for Jani to publish something like this is if he desires to cause physical harm to the operator of archive.today
Or are we just looking at an unhinged fan stalking their favorite online celebrity?
People were critical of the Banksy piece, but this is much nastier. At least Banksy is a huge business, archive.today does not even make money.
Jani here. What you describe as "doxxing" consisted of a) a whois lookup for archive.is and b) linking to a StackExchange post from 2020 called "Who owns archive.today" [1]. There is literally no new information about the site's owner in the post, all names have been dug up before and are clearly aliases, and the post states as much.
If the site operator is working for the FSB, doxx away! Although the world needs a better alternative to Internet Archive, it shouldn't be an alternative that is an arm of an authoritarian government.
Maybe, but I don't think that distinction matters here. Surely you're not contending that it counts as doxing every time someone collects data from multiple public sources?
I've always understood doxing to be PII, which aliases aren't, AFAIK, unless they're connected to a real person. And, to my knowledge, everyone is contending that the names in the blog post are all aliases. And, regarding aliases, I've never understood it to be doxing for someone to say "FakeNameX and FakeNameY appear to be the same user."
So, to me, the thing that makes it not look like doxing is that it simply doesn't meet the basic definition of doxing. It provides no PII.
You're both right. Combine the two and you get what doxxing originally was:
"Dox" is short for "documents", and it originally referred to compiling a multi-page document of all known personal information, using disparate public sources: name, address, phone, email, employer, family members, family address/phone etc, etc, etc. It came from troll boards and was designed to make it easy to harass targets.
The term got significantly watered down when it got out to the broader internet.
How low has the bar gotten where doxxing is literally just doing a Google search and a whois lookup about a well-used public website? The hackers of the 90s and aughts would laugh you straight out of the irc server with this comment.
You've thoroughly discredited yourself and your other comments with this. If anything, this comment reads exactly like the messages from the archive.today operator. No sensible person could read the original blog post and read this comment as anything other than an attempt to spread lies and pressure Jani.
You are attempting to perform a rhetorical sleight of hand here. You are well aware that linking to a Stack Exchange post and running WHOIS is not grounds for a DDoS as a measured response. In light of this fact, you attempt to portray it as “doxxing” to mislead people into thinking that someone’s identity or address was published against their will.
I encourage everyone to read the original article and make their own conclusion. Do not take this poster at their word.
>It's weird to see people getting fixated on the DDoS, which is obviously far less nasty than actually attempting to dox someone.
I would say the opposite... The DDoS is pretty obviously ridiculous, completely unacceptable, and entirely indefensible, while the blog post seems like whatever.
I honestly cannot fathom defending using your popular website as a tool to DDoS someone you have personal beef with, without the consent of the DDoSing participants.
All your comments are painting archive.today as an innocent victim in all this, but in addition to the DDoS, they have been caught modifying archived pages as well as sending actual threats to Patokallio [1] which in my opinion seem far worse than the "doxxing".
Just the fact alone that they modified archived pages has completely ruined their credibility, and over what? A blog post about them that (a) wasn't even an attack, it is mostly praising archive.today, and (b) doesn't reveal any true identities or information that isn't already easily accessible.
From my perspective at least, archive.today seems like the unhinged one, not Patokallio.
> It's weird to see people getting fixated on the DDoS,
The weird part to me is that some people are seemingly trying to downplay a popular website abusing visitors to DDoS someone.
How does your information (two angles) change anything at all about that fact? Normally if any website was caught abusing visitors to DDoS another website there would be no debate about why this is a bad thing. What about your other angles was supposed to matter in deciding if this was a bad thing for a website to do?
Two wrongs don’t make a right. Feeling wronged by someone doesn’t give you freedom to abuse every visitor to your website to DDoS someone else.
> It's weird to see people getting fixated on the DDoS, which is obviously far less nasty than actually attempting to dox someone.
Why even do that, then? Why not just make a public post of theirs like: "Hey, here's someone trying to doxx me, and here's the unfair and fictitious bullshit the lying government is trying to pin on me. Here's all the facts, decide for yourselves."
Why do something as childish as DDoSing someone which takes away any basic good will and decency/respect you might have had in the eyes of many?
That way, it'd also be way more clear whether attempts at censorship are motivated by them acting as a bad actor, or some sort of repression and censorship thing.
I don't really have a horse in this race, but it sounds like lashing out to one own's detriment.
As of now the site is in-fact a C&C/botnet. Cloudflare naturally fixates on such risks, not speech (generally). The basic purpose of 1.1.1.2 is to not wind up part of botnet.
I'm wondering if Jani is possibly going to walk into the wrong party here and get burned. I did some public archival stuff about a decade ago and it was state sponsored and for the intelligence community. I'm not suggesting this is but it'll be very much of interest to competing intelligence services as it's an information control point. None of those are the sort of people you start pissing off by sticking your dick in it. FBI is likely just one of the actors here.
You seem the right person to ask about this: why don’t we see any public web archivers operated by individuals or organizations based in countries that aren’t big fans of aiding or listening to American intelligence?
> Or are we just looking at an unhinged fan stalking their favorite online celebrity?
In this case, question is recursive. I have no idea who Jani Patokallio or gyrovague.com are, and the way Jason Drury shifts from “tried to dox” to “doxx’d” makes me wonder if this is astroturfing by Jani or Jason or a 3rd party. Who knows!
A bit context if you are confused why Public DNS server blocking websites. 1.1.1.2 is Malware blocking DNS server similar to AdBlock DNS server. It is not 1.1.1.1 and 1.0.0.1
Some time ago, probably at least a year, likely more, I read a blog post by someone working for Google in Europe who loved using Archive.today and out of curiosity tried to determine who was running it. In the end he gave up, offered to buy the operator a beer or something like that, but if I recall correctly he went to even greater lengths in his research than the blogger discussed in this thread
Sparked a controversial subthread elsewhere here. I don’t think this counts as doxxing, but some people apparently see it that way. It was an entertaining read though.
Archive.today's attack on https://gyrovague.com is still on-going btw. It started just over two months ago. Some IPs get through normally but for example finnish residential IPs get stuck on endless captchas. The JS snippet that starts spamming gyrovague appears after solving the first captcha.
To be clear, if I have JavaScript blocked for archive.today (which is my default with NoScript; and really there is no site functionality that really needs JS on the user's end), then I don't participate in the DDOS, right?
I'm not a web developer, but I've picked up some bits of knowledge here and there, mostly from troubleshooting issues I encounter while using websites.
I know there are a number of headers used to control cross-site access to websites, and the linked blog post shows archive.today's denial-of-service script sending random queries to the site's search function. Shouldn't there be a way to prevent those from running when they're requested from within a third-party site?
You can't completely prevent the browser from sending the request—after all, it needs to figure out whether to block the website from reading the response.
However, browsers will first send a preflight request for non-simple requests before sending the actual request. If the DDOS were effective because the search operation was expensive, then the blog could put search behind a non-simple request, or require a valid CSRF token before performing the search.
> I know there are a number of headers used to control cross-site access to websites
Mostly these headers are designed around preventing reading content. Sending content generally does not require anything.
(As a kind of random tidbit, this is why csrf tokens are a thing, you can't prevent sending so websites test to see if you were able to read the token in a previous request)
This is partially historical. The rough rule is if it was possible to make the request without javascript then it doesn't need any special headers (preflight)
I've been getting the endless captcha on my Finnish residential IPs, but I've also been getting that (or outright timeouts) when using VPNs, so I cannot use the site altogether. I wish there were alternatives.
> The crucial context here is that archive.today provides a useful public service for free.
So public services should DDoS is your argument?
> Jani Patokallio runs gyrovague.net in order to harass people who provide useful public services.
I scrolled pretty far through the blog and didn't find anything of that sort. Just a bunch of travel stuff.
Now I'm curious what sort of "harassment" you hallucinated in the sites that were previously targeted by archive.today's DDoS attacks.
By this logic, the Code Green worm is ethical; forcing a security patch upon users who didn’t install one is obviously Not Evil. And that’s why operating systems aren’t wrong to force security updates on their users using invisible phone-home systems that the users aren’t aware of: it’s a small sin that is entirely justified self defense for the users and the device maker. Clearly we should all be updated to iOS 26 without our consent.
The ‘small sin’ of wielding your userbase as a botnet is only palatable for HN’s readers because the site provides a desirable use to HN’s readers. If it were, say, a women’s apparel site that archived copies of Vogue etc. (which would see a ton of page views and much more effective takedown efforts!) and pointed its own DDoS of this manner at Hacker News, HN would be clamoring for their total destruction for unethical behavior with no such ‘it’s just a evil for so much good’ arguments.
Maintaining ethical standards in the face of desire for the profits of unethical behavior is something tech workers are especially untrained to do. Whether with Palantir or Meta or Archive.today, the conflict is the same: Is the benefit one derives worth compromising one’s ethics? For the unfamiliar, three common means of avoiding admitting that one’s ethics are compromised: “it’s not that bad”, “ethics don’t apply to that”, and “that’s my employer’s problem”. None of those are valid excuses to tolerate a website launching DDoS attacks from our browsers.
The person who runs archive.today decided to involve me, and every other visitor, in their dispute. They decided to use us to hurt someone else. That's a pretty big sin in my book.
archive.today has a documented history of altering the archived content, as such they immediately lose the veil of protection of a service of "public good" in my books.
Just my 2 ¢, not that it really matters anymore in this current information-warfare climate and polarization. :/
People are painting this as a mutually exclusive ideological decision. Yet two things can be true:
1) The act of archive.today archiving stories (and thus circumventing paywalls) is arguably v low level illegal (computer miss-use/unauthorized access/etc) but it is up for interpretation whether a) the operator or the person requesting the page carries the most responsibility b) whether it's enforceable in third party countries neither archive.today or the page requester reside in
2) DDoSing a site that writes something bad about you is fundamentally wrong (and probably illegal too)
Not really sure if circumventing paywalls is that unlawful across the world, but basically copying and pasting an entire web page is just clear and simple copyright violation.
I know it's petty. But don't act surprised when you find your garbage strewn all over your lawn next morning after you flipped off your neighbor the fourth time.
Archive today being free doesn’t excuse them using their audience to DDoS someone they don’t like or excuse them from modifying archive content. Also documenting who funds a service is in the public interest.
While you article is insightful. Can the blog author please redact the actual names and nicks from your orginal blog post (including the exact places where to find the information). As this was discussed below. While I think you had good intentions, but it might be good to also reflect on the rights of that person not be identified.
Edit: I misread the comment initially as from someone with more insight. However, I guess it is obvious that anyone can see the JavaScript and participates involuntarily in the DoS.
eastdakota on May 4, 2019 on: Tell HN: Archive.is inaccessible via Cloudflare DNS...
[Via https://news.ycombinator.com/item?id=19828702]
We don’t block archive.is or any other domain via 1.1.1.1. Doing so, we believe, would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service.
Archive.is’s authoritative DNS servers return bad results to 1.1.1.1 when we query them. I’ve proposed we just fix it on our end but our team, quite rightly, said that too would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service.
The archive.is owner has explained that he returns bad results to us because we don’t pass along the EDNS subnet information. This information leaks information about a requester’s IP and, in turn, sacrifices the privacy of users. This is especially problematic as we work to encrypt more DNS traffic since the request from Resolver to Authoritative DNS is typically unencrypted. We’re aware of real world examples where nationstate actors have monitored EDNS subnet information to track individuals, which was part of the motivation for the privacy and security policies of 1.1.1.1.
EDNS IP subsets can be used to better geolocate responses for services that use DNS-based load balancing. However, 1.1.1.1 is delivered across Cloudflare’s entire network that today spans 180 cities. We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results. For a relatively small operator like archive.is, there would be no loss in geo load balancing fidelity relying on the location of the Cloudflare PoP in lieu of EDNS IP subnets.
We are working with the small number of networks with a higher network/ISP density than Cloudflare (e.g., Netflix, Facebook, Google/YouTube) to come up with an EDNS IP Subnet alternative that gets them the information they need for geolocation targeting without risking user privacy and security. Those conversations have been productive and are ongoing. If archive.is has suggestions along these lines, we’d be happy to consider them.
The 1.1.1.1 referred to in the above is Cloudflare's main resolver, 1.1.1.2 & 1.1.1.3 are for those intentionally looking for malware and content blocking.
The DNS tuneling flag alongside C&C/botnet is the odd one — that category implies data exfiltration or firewall bypass, not just aggressive crawling or DDoS behavior. Would be interesting to know what traffic pattern triggered it.
I was wondering about this too. I thought that it could be about it being possible to use archive.today to view sites otherwise blocked via DNS, but web.archive.org[1] doesn't have that flag, so it must be something else.
I reported the miscalssification, you can do it as well from the linked page.
Edit: reading some comments here seems that I was too fast, and that the story is much more complicated. Having just the Cloudflare page as a context, I assumed the news were a miscalssification. Could someone share more context on what is going on here?
Cloudflare dns has gone back and forth on whether it wants to resolve them since 2019. It’s taken that away and restored it again (intentionally? mistake?) at least four times.
The c&c/botnet designation would seem to be new though.
As far as I am aware, all previous issues with archive.today and Cloudflare were on account of archive.today taking measures to stop Cloudflare's DNS from correctly resolving their domains, not the other way around.
The current situation is due to Cloudflare flagging archive.today's domains for malicious activity, Cloudflare actually still resolves the domains on their normal 1.1.1.1 DNS, but 1.1.1.2 ("No Malware") now refuses. Exactly why they decided to flag their domains now, over a month after the denial-of-service accusations came out, is unclear, maybe someone here has more information.
Sounds a bit like when "Finland geoblocked archive.today". In all actuality, there was no geoblocking of the site in Finland by any authorities or ISPs, but rather it was the website owner blocking all Finnish IPs after some undisclosed dispute with Finnish border agents. When something bad happens, people seem a bit too willing to give archive.today the benefit of the doubt.
For context, archive.today is angry that Cloudflare won't pass through EDNS - which includes things like your IP address, which archive.today explicitly wants for DNS-based geographical routing. The obvious problem with this is that it would deanonymize all 1.1.1.1 users, at least down to their ISP and probably down to the individual subscriber.
Have they? The thing I remember previously was archive.is, and it wasn’t a block, archive.is was serving intentionally wrong responses to queries from cloudflare’s resolvers.
This is notably not a change to how 1.1.1.1 works, it’s specifically their filtered resolution product.
Intentionally, I believe? archive.today iirc has explicitly blocking Cloudflare from resolving them at various times over the years due to Cloudflare DNS withholding requesting-user PII (ip address) in DNS lookups.
Looking forward to when Google Safe Browsing adds their domains as unsafe, as that ripples to Chrome and Firefox users.
Just tells me they are an unreliable resolver. Instead of being a neutral web infra, they actively participate in political agendas and censor things they "think" is wrong.
1.1.1.2 is their malware-blocking DNS, and 1.1.1.3 is their parental-controls DNS. If you want an unfiltered DNS, use 1.1.1.1 - which resolves archive.today just fine, although archive.today itself refuses to work on Cloudlfare DNS.
I'm just curious, given all the other options that respect your privacy and don't put data collection at the center of their business model, why do you use Cloudflare on your pi-hole?
Because "if it ain't broke, don't fix it." i'm not one of those users who want to endlessly tweak their ad blocker. i want to set it up, clicking as few checkboxes as necessary to get it going, and then leave it. However, (now) knowing that Cloudflare filters different only each of their servers, i'm incentivized to go tweak a number in the config (as opposed to researching the pros and cons of every possible provider, a detail i truly have no interest in pursuing).
I use unbound (recursive resolver), and AdGuard Home as well (just forwards to unbound). Unbound could do ad-blocking itself as well, but it's more cumbersome than in AGH. So I use two tools for the time being.
The upside is there's no single entity receiving all your queries. The downside is there's no encryption (IIRC root servers do not support it), so your ISP sees your queries (but they don't receive them).
what is the vector here? dns traffic is practically anonymous, there would have to be some very specific and purposeful trickery going on to link dns traffic to an identity. It sounds like something more hypothetical than a tangible threat model
It isn't anonymous. DNS server resolve, IP addresses by hostnames. It cannot then inspect further traffic but it certainly can log your IP address and all URL's a given IP ever hit.
Since ISP know your identity, and all it takes is to (request and get) the DNS logs and ISP servitude for all sort of questionable information, you as an identity are giving away all sites domains you visit.
> It cannot then inspect further traffic but it certainly can log your IP address and all URL's a given IP ever hit.
Correction: they can log host names/IPs, not URLs. The path of any given URL is part of the HTTP header, invisible to onlookers (assuming HTTP and assuming HTTPS is uncracked).
Considering that the DNS in question is third-party, that is, it's independent from the ISP. Then the DNS and the ISP will not share data with each other on a routine basis, which would make this concern negligible for every day traffic.
So to simplify, the DNS provider has a map of IPs to Domains visited, while the other hand an ISP has a map of IP addresses to identities.
To even cross-reference the data, the ISP and the DNS provider would need to partner, and violate their privacy guarantees.
At the very least it's obvious that using a separate DNS provider than your ISP's provides additional anonimity by decentralizing your traffic. Although this comes with a tradeoff, having 2 providers increases the odds of partial leaks.
This analysis is so overkill for your personal traffic that it borders tinfoil territory, if we are in a professional setting and are discussing the competitive data of a company or that of thousands of users, then this level of scrutiny is merited, but as-is, separating your DNS provider from your ISP is already very marginal and a bit paranoid. Evaluating the DNS providers to such an extent that a huge security company with good legal standing would somehow qualify as unsafe, for the traffic of one user, I stress, is paralyzingly over-engineering the security of an infrastructure that has already been secured such that users don't need to know what a DNS and how to configure it in order to have safe and private internet.
Imagine going to the bank and asking the teller for a withdrawal but not disclosing the amount and coming up with a mechanism to withdraw without anyone from the bank knowing what you withdrew. Sure, it increases your security, but also come on, what are we doing here?
Hi. If your response involves explaining the very very basics of DNS to someone that clearly knows what DNS is, please consider the possibility that you may have misunderstood them instead of lecturing them on the basics of ubiquitous internet technologies.
I did some experimenting recently and I'm quite convinced that when I use Comcasts DNS they are selling it to advertisers. I've switched to 1.1.1.1 simply because it annoys me that Comcast is doing this.
if you think a little creatively about how this information could be used by an organization that was created at the insistence of the United States Department of Homeland Security, then you're on the right track.
The "censored" part of archive.today seems unrelated to the filtering itself. 1.1.1.3 flags Pornhub.com as "EDE(17): Filtered" but archive.today is "EDE(16): Censored".
I use cloudflare DNS because it’s faster. But should I worry, having read your comment? What is the downside to using it? What would you recommend instead?
Many years ago I used Cloudflare, and more than once I had issues with them blocking websites I wanted to access.
I absolutely despise that. I want my DNS to resolve domain names, nothing else.
For blocking things I have Pi-Hole, which is under my control for that reason. I can blacklist or whitelist addresses to my needs, not to the whims of a corporation that wants to play gatekeeper to what I can browse.
Are you saying now you just had issues with the quality of service? Or do you want to provide more details to substantiate the claim that they were blocking sites?
No, I do not keep any logs from domain name resolution from the DNS service I used from 7+ years ago. If you do, I commend you.
I used the term "blocking" in a loose sense. I have no idea if Cloudflare was failing to resolve certain domains because it is a shitty service, or if it was ordered to block those domain names by its government, or if it was actively not resolving domain names because it thought a good idea to be a sort of arbiter and gatekeeper. I suspect the last option, but it is just speculation.
What I can affirm is that I had issues more than once with domain name resolution when I used 1.1.1.1. After it annoyed me enough I switched to Quad9, and it has been great ever since, which is why I recommend it as a user of their service.
> I have no idea if Cloudflare was failing to resolve certain domains because it is a shitty service, or if it was ordered to block those domain names by its government, or if it was actively not resolving domain names because it thought a good idea to be a sort of arbiter and gatekeeper.
I'm going to go with option D) whatever shitty site you were browsing to had a broken DNS or more likely DNSSEC configuration and Cloudflare was correct to not serve a corrupt response.
99% of the time, tales of "they're blocking my site! you guys are nazis!" always turn out to have a root cause of broken DNS configuration.
> I'm going to go with option D) whatever shitty site you were browsing to had a broken DNS or more likely DNSSEC configuration and Cloudflare was correct to not serve a corrupt response.
And once I switched DNS I could browse it normally.
This does not align quite well with the scenario you propose.
> "they're blocking my site! you guys are nazis!"
I said no such thing. I said it was a shitty DNS because it failed at the thing I was trying to use it for.
It's not based in "guesswork and fear". It is a first-person account of someone that used their service. A user review, if you will.
There's this thing - when you offer a service to the public, the users of your service, can, will, and should review your service.
So, yes, I am free to "trash talk" a service that was, frankly, terrible at its job in providing domain name resolution. That works as any other user review, a data point so other users may switch away from a bad provider to a better one.
I imagine if someone goes to a restaurant and they their hot dish is served cold, if your response to the user review is a silly request for proof that the food was indeed served cold, and whining that their review is "trash talking based on fear and guesswork".
I offered some possibilities of why they did a shitty job in providing naming resolution. I even speculated what was the most likely one (not the one you mentioned).
But it's okay, at this point I have very little optimism regarding your reading ability.
How does that differ from Quad9? You’re subject to Swiss laws, so there’s still a government involved? And you’re now hosted in an area where the US government has far fewer limitations on what they can attempt.
Quad9 is based in Switzerland, but the three founders-sponsors are US-based [0], so I’m not sure if it can be considered 100% safe from US government intervention.
I don't use the public resolvers but here [1] is a script that will show which of those public resolvers is fastest from your location. Add or remove resolvers as you desire. Be sure to scroll down to see a few of the sorting examples. Not my script or repo.
Just as a side note: Something I have done with this in the past as a fun experiment was to set up an Unbound DoT server on assorted VPS nodes in assorted locations around the country, run this script and configure each Unbound to use the 5 to 10 fastest servers on each node and cache results longer. Then I used Tinc (open source VPN) to connect to these VPS nodes from my home's Unbound and distribute the requests among all of them. I save query logs from all of them and use cron to look up all my queries hourly to keep the cache fresh and mess up any analytic patterns for my queries. Just a fun experiment. 99.99% of the time I just query the root DNS servers for what NS servers are authoritative for a given domain or what I call bare-backing the internet.
By this logic, all malicious JavaScript (obvious example is cryptominers I guess, assuming no JS sandbox escape) is C&C, yeah? As it "instructs site visitors" to do something harmful locally?
If you need to be on the site it’s not a botnet and there is no C&C server coordinating the attack. It‘s just the JS on the site that makes the attack.
Why? I did not visit the site to participate in a DoS attack; yet my machine was coaxed into participating against my will. Whether this is happening in JS or a drive-by download or a browser 0-day is irrelevant.
Breach of trust by a site whose unstated primary purpose is bypassing paywalls and ripping off content?
20 years ago during the P2P heyday this was assumed to come with the territory. Play with fire and you could get burned.
If you walk into a seedy brothel in the developing world, your first thought should be "I might get drugged and robbed here" and not what you're going to type in the Yelp review later about their lack of ethics.
Well if we are going to use this analogy, 20 years ago virus scanners also flagged malicious stuff from p2p as a virus, and people still thought putting malicious content on p2p was a shitty thing for someone to do (even if it was somewhat expected).
Nobody was shedding any tears 20 years ago for the virus makers who had their viruses flagged by virus scanners.
This is an archive of an Archive.is archive of a blog post. The first sentence of the post says “ Jani Patokallio was a woman of exceptional intellect…” This was changed, it originally had someone else’s name (see second paragraph). So, who knows what other archived pages were changed?
I always thought that mainstream media sites with paywalls were pretty far down there in the tier list of websites though. Not sure if this analogy lands unless irony was the goal.
I trust websites not to involve me in crime. I trust news websites to tell me the news. I trust archive websites to give me old versions of websites. I trust paywall circumvention websites to circumvent paywalls.
What I do not see is the irony you insinuate in your post. It is not immoral to charge people for content, nor does that make you less credible. (It might even make you more credible since you now earn money by having happy customers instead of serving more ads.)
Some news sources are not trustworthy but that's independent of there being a paywall.
It amazes me that people still use and recommend Cloudflare's DNS servers for resolution. Cloudflare DNS does not support EDNS Client Subnet. As a result, DNS queries resolved by their service are likely to return IP addresses for many CDNs that are physically farther away from you, leading to a slower internet browsing and viewing experience.
Sacrificing performance for a faster lookup time makes no sense in 2026. This is the one area where I continue to use Google DNS as it just works. Use anything but Cloudflare in this case, please.
Parent pro-tip: Next time the iPad is having Bluey episode playback issues, check to see if you're actually using Cloudflare DNS.
Why? It’s accurate and if the owner has chosen to do this for months now, why should we ever trust they won’t again? Nobody should ever use that site and every optional filter should block them.
There's probably a worthwhile discussion to be had about what it takes for a site in this situation to be removed from blocklists. An apology? Surrender to authorities? Halting the malicious activity for a certain period of time?
Regardless, another user reports the attack is still ongoing[1], so this isn't a discussion that's going to happen about archive.today anytime soon.
I suppose “evidence that the site’s leadership has permanently changed” would convince me. Whoever decided to put in the code that causes visitors to DDOS someone should never be running a web site again.
I mean, probably not. Maybe if they posted a public apology (an actual one, not a 'I'm sorry I was caught' one), listed the steps that they would take to ensure it doesn't happen again and how the fact that they weren't doing it could be publicly verified.
They've shown they're willing to deliberately weaponize their users to fight a personal dispute with someone, and didn't take corrective action when called out. Trustworthiness is something you lose and don't get back.
Because once the problematic content is removed it should no longer be blocked.
>It's accurate
It is neither a C&C server for a botnet, nor any other server related to a botnet. I would not call it accurate.
>Nobody should ever use that site
It has a good reputation for archiving sites, has stead the test of time, and doesn't censor pages like archive.org does allowing you to actually see the history of news articles instead of them being deleted like archive.org does on occasion.
The site started doctoring archived versions as part of the petty feud. That is, what was supposed to be a historical record, suddenly had content manipulated so as to feed into this fight[0]. There is no redemption. You want to be an archive, you keep it sacrosanct. Put an obvious hosting-site banner overlay if you must, but manipulating the archive is a red-line that was crossed.
...On 20 February 2026, English Wikipedia banned links to archive.today, citing the DDoS attack and evidence that archived content was tampered with to insert Patokallio's name.[19] The decision was made despite concerns over maintaining content verifiability[19] while removing and replacing the second-largest archiving service used across the Wikimedia Foundation's projects.[20] The Wikimedia Foundation had stated its readiness to take action regardless of the community verdict.[19][20]
That line of argument is rather misleading, as some kind of content manipulation is inherent to the service an archive that violates paywalls has to provide. It needs to conceal the accounts it uses to access these websites, and their names and traces are often on the pages it's archiving.
Did AT go beyond that and manipulate any relevant part? That's rather difficult to say now. AT is obviously tampering with evidence, but so is Wikipedia; their admins have heavily redacted their archived Talk pages out of fear one of these pseudonyms might be an actual person, so even what exactly WP accuses AT of is not exactly clear.
While I disagree with that action I still trust the site as a reliable source. Redemption is possible. Maybe not for Wikipedia, but I don't care about that site and consider it rotten.
It's not just problematic content, it's criminal behavior. And the site has a bad reputation for archival, given that the owner altered the content of archived articles.
I'm not sure how illegal copyright violations really are, given that all major tech companies are doing it. DDoS attacks, on the other hand, are pretty clear-cut.
I also think "but they also do that other crime" doesn't help their case.
Do you actually mean edit or do you just mean delete
Both are problematic, but falsifying a historic record is orders of magnitude worse than deleting one, and conflating them would be extremely dishonest
Are Hacker News users part of a botnet since they link to sites that when people click they go down due to all of the traffic? Am I part of a botnet if I have HN open as it means HN can execute javascript? I think it's stretching the definition.
Hacker News absolutely would be if it was making those requests to random sites that the user doesn’t know about, and have no reason to be making requests to other than attacking them.
I suppose if all the users go on the site intentionally wanting to take part in a DDoS, then sure it’s not a botnet. But that’s not reality.
1.1.1.1 is simply a free DNS, 1.1.1.2 blocks malware, and 1.1.1.3 blocks both malware and adult content. It's a service that does exactly what it's supposed to do.
If I specifically choose a DNS server that promises to not resolve sites that will use my computer in a botnet, then it is that DNS resolver’s place to do that.
The owner of archive.is modifies contents of articles already so I hope you’re not actually depending on it as an archive. It’s a paywall escape hatch not an archive site.
I, for one, completely trust Cloudflare on this one. The guys running a MiTM attack on a substantial chunk of all global internet traffic, and working tirelessly to ensure billions of people behind CGNAT in the global south can't access the free and open web are the premiere experts on malicious, predatory, harmful internet-scale network behavior, after all.
They aren’t wrong. They’re literally using scripts on their site in an attempt to DDoS a blog which (partially?) de-anonymized the archive.today operator.
"archive.today is currently categorized as: * CIPA Filter * Reference * Command and Control & Botnet * DNS Tunneling"
Ditto for their other domains like archive.is and archive.ph
Example DoH request:
$ curl -s "https://1.1.1.2/dns-query?name=archive.is&type=A" -H "accept: application/dns-json"
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"archive.is","type":1}],"Answer":[{"name":"archive.is","type":1,"TTL":60,"data":"0.0.0.0"}],"Comment":["EDE(16): Censored"]}
---
Relevant HN discussions:
https://news.ycombinator.com/item?id=46843805 "Archive.today is directing a DDoS attack against my blog"
https://news.ycombinator.com/item?id=47092006 "Wikipedia deprecates Archive.today, starts removing archive links"
https://news.ycombinator.com/item?id=46624740 "Ask HN: Weird archive.today behavior?" - Post about the script used to execute the denial-of-service attack
Wikipedia page on deprecating and replacing archive.today links:
https://en.wikipedia.org/wiki/Wikipedia:Archive.today_guidan...
Thanks for that, I didn't know about that API - which it turns out has open CORS headers so you can call it from JavaScript.
I now have my dream DNS lookup web tool! https://tools.simonwillison.net/dns#d=news.ycombinator.com&t...
https://dohjs.org/ is pretty nifty.
Also: https://dnscheck.tools/
I think there are two angles to look at this. Yes, there’s the attack on the weblog. But there’s also pressure on archive.today, e.g. an FBI investigation [1] and some entity using fictitious CSAM allegations [2].
[1]: https://arstechnica.com/tech-policy/2025/11/fbi-subpoena-tri...
[2]: https://adguard-dns.io/en/blog/archive-today-adguard-dns-blo...
Jani Patokallio who runs gyrovague.com published a blog post attempting to dox the owner of archive.today.
Jani justifies his doxing as follows "I found it curious that we know so little about this widely-used service, so I dug into it" [1]
Archive.today on the other hand is a charitable archival project offered to the public for free. The operator of Archive.today risks significant legal liability, but still offers this service for free.
[1]: https://gyrovague.com/2026/02/01/archive-today-is-directing-...
It's weird to see people getting fixated on the DDoS, which is obviously far less nasty than actually attempting to dox someone. The only credible reason for Jani to publish something like this is if he desires to cause physical harm to the operator of archive.today
Or are we just looking at an unhinged fan stalking their favorite online celebrity?
People were critical of the Banksy piece, but this is much nastier. At least Banksy is a huge business, archive.today does not even make money.
Jani here. What you describe as "doxxing" consisted of a) a whois lookup for archive.is and b) linking to a StackExchange post from 2020 called "Who owns archive.today" [1]. There is literally no new information about the site's owner in the post, all names have been dug up before and are clearly aliases, and the post states as much.
[1] https://webapps.stackexchange.com/questions/145817/who-owns-...
If the site operator is working for the FSB, doxx away! Although the world needs a better alternative to Internet Archive, it shouldn't be an alternative that is an arm of an authoritarian government.
Isn’t doxxing most of the time just collecting data from multiple public sources and connect them?
Maybe, but I don't think that distinction matters here. Surely you're not contending that it counts as doxing every time someone collects data from multiple public sources?
I've always understood doxing to be PII, which aliases aren't, AFAIK, unless they're connected to a real person. And, to my knowledge, everyone is contending that the names in the blog post are all aliases. And, regarding aliases, I've never understood it to be doxing for someone to say "FakeNameX and FakeNameY appear to be the same user."
So, to me, the thing that makes it not look like doxing is that it simply doesn't meet the basic definition of doxing. It provides no PII.
You're both right. Combine the two and you get what doxxing originally was:
"Dox" is short for "documents", and it originally referred to compiling a multi-page document of all known personal information, using disparate public sources: name, address, phone, email, employer, family members, family address/phone etc, etc, etc. It came from troll boards and was designed to make it easy to harass targets.
The term got significantly watered down when it got out to the broader internet.
How low has the bar gotten where doxxing is literally just doing a Google search and a whois lookup about a well-used public website? The hackers of the 90s and aughts would laugh you straight out of the irc server with this comment.
This is more than just a Google search and a whois lookup
https://gyrovague.com/2023/08/05/archive-today-on-the-trail-...
Yes, that is exactly what “doxing” almost always refers to. It’s a very disingenuous response.
Maliciously amplifying public information for the purpose of directing anger is also doxxing. Whether that's what you did, I'll let others chime in.
I don't see how this description changes the fundamental nature of your actions.
Even a half-assed attempt at doxing is still an attempt at doxing.
It'd be much easier to accept that you're acting in good faith had you deleted the post when it became obvious that the target doesn't appreciate it.
You could still do that, and it would very simply be the right thing to do.
You've thoroughly discredited yourself and your other comments with this. If anything, this comment reads exactly like the messages from the archive.today operator. No sensible person could read the original blog post and read this comment as anything other than an attempt to spread lies and pressure Jani.
You are attempting to perform a rhetorical sleight of hand here. You are well aware that linking to a Stack Exchange post and running WHOIS is not grounds for a DDoS as a measured response. In light of this fact, you attempt to portray it as “doxxing” to mislead people into thinking that someone’s identity or address was published against their will.
I encourage everyone to read the original article and make their own conclusion. Do not take this poster at their word.
>It's weird to see people getting fixated on the DDoS, which is obviously far less nasty than actually attempting to dox someone.
I would say the opposite... The DDoS is pretty obviously ridiculous, completely unacceptable, and entirely indefensible, while the blog post seems like whatever.
I honestly cannot fathom defending using your popular website as a tool to DDoS someone you have personal beef with, without the consent of the DDoSing participants.
All your comments are painting archive.today as an innocent victim in all this, but in addition to the DDoS, they have been caught modifying archived pages as well as sending actual threats to Patokallio [1] which in my opinion seem far worse than the "doxxing".
Just the fact alone that they modified archived pages has completely ruined their credibility, and over what? A blog post about them that (a) wasn't even an attack, it is mostly praising archive.today, and (b) doesn't reveal any true identities or information that isn't already easily accessible.
From my perspective at least, archive.today seems like the unhinged one, not Patokallio.
[1] https://arstechnica.com/tech-policy/2026/02/wikipedia-bans-a...
Which pages have they been caught modifying? And where's the evidence? I've seen this accusation multiple times but never with concrete details.
https://en.wikipedia.org/wiki/Wikipedia:Requests_for_comment...
Under „Altering of archived pages“
> It's weird to see people getting fixated on the DDoS,
The weird part to me is that some people are seemingly trying to downplay a popular website abusing visitors to DDoS someone.
How does your information (two angles) change anything at all about that fact? Normally if any website was caught abusing visitors to DDoS another website there would be no debate about why this is a bad thing. What about your other angles was supposed to matter in deciding if this was a bad thing for a website to do?
Two wrongs don’t make a right. Feeling wronged by someone doesn’t give you freedom to abuse every visitor to your website to DDoS someone else.
> It's weird to see people getting fixated on the DDoS, which is obviously far less nasty than actually attempting to dox someone.
Why even do that, then? Why not just make a public post of theirs like: "Hey, here's someone trying to doxx me, and here's the unfair and fictitious bullshit the lying government is trying to pin on me. Here's all the facts, decide for yourselves."
Why do something as childish as DDoSing someone which takes away any basic good will and decency/respect you might have had in the eyes of many?
That way, it'd also be way more clear whether attempts at censorship are motivated by them acting as a bad actor, or some sort of repression and censorship thing.
I don't really have a horse in this race, but it sounds like lashing out to one own's detriment.
As of now the site is in-fact a C&C/botnet. Cloudflare naturally fixates on such risks, not speech (generally). The basic purpose of 1.1.1.2 is to not wind up part of botnet.
Cloudflare does its revenge for AT's blocking 1.1.1.1 for years
I'm wondering if Jani is possibly going to walk into the wrong party here and get burned. I did some public archival stuff about a decade ago and it was state sponsored and for the intelligence community. I'm not suggesting this is but it'll be very much of interest to competing intelligence services as it's an information control point. None of those are the sort of people you start pissing off by sticking your dick in it. FBI is likely just one of the actors here.
Why would stuff for the intelligence community be made public? Wouldn’t it make more sense for them to keep it private?
You seem the right person to ask about this: why don’t we see any public web archivers operated by individuals or organizations based in countries that aren’t big fans of aiding or listening to American intelligence?
Well they certainly do exist. However they tend not to even get noticed because the mindset and momentum behind everything is America-centric.
it's weird to see the term "doxx" be abused until it doesn't mean anything.
Don't use my computer to DDoS others please. That's nastier than the shallow post of that article.
> Or are we just looking at an unhinged fan stalking their favorite online celebrity?
In this case, question is recursive. I have no idea who Jani Patokallio or gyrovague.com are, and the way Jason Drury shifts from “tried to dox” to “doxx’d” makes me wonder if this is astroturfing by Jani or Jason or a 3rd party. Who knows!
Perhaps Mr. Patokallio would like the same scrutiny applied to his own life now - it's only fair, and we have the technology.
Read the archive.today blog, whoever is running archive.today already made many posts about Patokallio and his family members.
So the two angles are that archive.today is doing something illegal and also being investigated by American law enforcement?
I suppose an argument can be made that archive infringes copyright.
Hell I use it to circumvent paywalls.
So, if that's the case we can get all frontier provider sites marked as such as well?
A bit context if you are confused why Public DNS server blocking websites. 1.1.1.2 is Malware blocking DNS server similar to AdBlock DNS server. It is not 1.1.1.1 and 1.0.0.1
Here is the DDoS context https://gyrovague.com
And for parents: 1.1.1.3 blocks adult content :)
For some reason I thought 1.1.1.1/1.0.0.1 already wouldn’t resolve archive.[today|is|ph] anyway
Sort of:
https://jarv.is/notes/cloudflare-dns-archive-is-blocked
Some time ago, probably at least a year, likely more, I read a blog post by someone working for Google in Europe who loved using Archive.today and out of curiosity tried to determine who was running it. In the end he gave up, offered to buy the operator a beer or something like that, but if I recall correctly he went to even greater lengths in his research than the blogger discussed in this thread
I wish I could find it
https://gyrovague.com/2023/08/05/archive-today-on-the-trail-...
Sparked a controversial subthread elsewhere here. I don’t think this counts as doxxing, but some people apparently see it that way. It was an entertaining read though.
Archive.today's attack on https://gyrovague.com is still on-going btw. It started just over two months ago. Some IPs get through normally but for example finnish residential IPs get stuck on endless captchas. The JS snippet that starts spamming gyrovague appears after solving the first captcha.
To be clear, if I have JavaScript blocked for archive.today (which is my default with NoScript; and really there is no site functionality that really needs JS on the user's end), then I don't participate in the DDOS, right?
I'm not a web developer, but I've picked up some bits of knowledge here and there, mostly from troubleshooting issues I encounter while using websites.
I know there are a number of headers used to control cross-site access to websites, and the linked blog post shows archive.today's denial-of-service script sending random queries to the site's search function. Shouldn't there be a way to prevent those from running when they're requested from within a third-party site?
You can't completely prevent the browser from sending the request—after all, it needs to figure out whether to block the website from reading the response.
However, browsers will first send a preflight request for non-simple requests before sending the actual request. If the DDOS were effective because the search operation was expensive, then the blog could put search behind a non-simple request, or require a valid CSRF token before performing the search.
> I know there are a number of headers used to control cross-site access to websites
Mostly these headers are designed around preventing reading content. Sending content generally does not require anything.
(As a kind of random tidbit, this is why csrf tokens are a thing, you can't prevent sending so websites test to see if you were able to read the token in a previous request)
This is partially historical. The rough rule is if it was possible to make the request without javascript then it doesn't need any special headers (preflight)
I get the endless captcha with a Southern California ip. Something emus either very broken or malicious.
I've been getting the endless captcha on my Finnish residential IPs, but I've also been getting that (or outright timeouts) when using VPNs, so I cannot use the site altogether. I wish there were alternatives.
Why is archive today attacking that website?
The linked blog contains a story about who funds archive today and they presumably don’t like being exposed.
The crucial context here is that archive.today provides a useful public service for free.
Jani Patokallio runs gyrovague.net in order to harass people who provide useful public services.
It's not surprising that the owner of archive.today does not like being exposed, archiving is a risky business.
> The crucial context here is that archive.today provides a useful public service for free.
So public services should DDoS is your argument?
> Jani Patokallio runs gyrovague.net in order to harass people who provide useful public services.
I scrolled pretty far through the blog and didn't find anything of that sort. Just a bunch of travel stuff. Now I'm curious what sort of "harassment" you hallucinated in the sites that were previously targeted by archive.today's DDoS attacks.
Should providing a public service absolve all sins?
So far, the only sin archive.today has been accused of is retaliating against a guy attempting to dox them.
That's a pretty small sin in my book. To be written off as wildly unsuccessful but entirely justified self defense.
DDoSing gyrovague.com is silly, not evil.
The content on gyrovague.com which targets archive.today is evil, plain and simple.
By this logic, the Code Green worm is ethical; forcing a security patch upon users who didn’t install one is obviously Not Evil. And that’s why operating systems aren’t wrong to force security updates on their users using invisible phone-home systems that the users aren’t aware of: it’s a small sin that is entirely justified self defense for the users and the device maker. Clearly we should all be updated to iOS 26 without our consent.
The ‘small sin’ of wielding your userbase as a botnet is only palatable for HN’s readers because the site provides a desirable use to HN’s readers. If it were, say, a women’s apparel site that archived copies of Vogue etc. (which would see a ton of page views and much more effective takedown efforts!) and pointed its own DDoS of this manner at Hacker News, HN would be clamoring for their total destruction for unethical behavior with no such ‘it’s just a evil for so much good’ arguments.
Maintaining ethical standards in the face of desire for the profits of unethical behavior is something tech workers are especially untrained to do. Whether with Palantir or Meta or Archive.today, the conflict is the same: Is the benefit one derives worth compromising one’s ethics? For the unfamiliar, three common means of avoiding admitting that one’s ethics are compromised: “it’s not that bad”, “ethics don’t apply to that”, and “that’s my employer’s problem”. None of those are valid excuses to tolerate a website launching DDoS attacks from our browsers.
The person who runs archive.today decided to involve me, and every other visitor, in their dispute. They decided to use us to hurt someone else. That's a pretty big sin in my book.
archive.today has a documented history of altering the archived content, as such they immediately lose the veil of protection of a service of "public good" in my books.
Just my 2 ¢, not that it really matters anymore in this current information-warfare climate and polarization. :/
> archive.today has a documented history of altering the archived content
Wow, I had no idea. Thanks.
Archive.org has an even worse history of this, FWIW.
It allows website owners and third parties to tamper with archived content.
Look here, for example: https://web.archive.org/web/20140701040026/http://echo.msk.r...
Archive.today is by far the best option available.
What does this example show? It shows „ad blocker detected“ for me.
People are painting this as a mutually exclusive ideological decision. Yet two things can be true:
1) The act of archive.today archiving stories (and thus circumventing paywalls) is arguably v low level illegal (computer miss-use/unauthorized access/etc) but it is up for interpretation whether a) the operator or the person requesting the page carries the most responsibility b) whether it's enforceable in third party countries neither archive.today or the page requester reside in
2) DDoSing a site that writes something bad about you is fundamentally wrong (and probably illegal too)
> So far, the only sin archive.today has been accused of is retaliating against a guy attempting to dox them.
I think you're missing that circumventing paywalls is unlawful in most parts of the world.
Respectfully, it's not, in most parts of the world.
> I think you're missing that circumventing paywalls is unlawful in most parts of the world.
And a necessity if you want to archive the content correctly, also necessary if you want the archives to be publicly available.
Not really sure if circumventing paywalls is that unlawful across the world, but basically copying and pasting an entire web page is just clear and simple copyright violation.
I know it's petty. But don't act surprised when you find your garbage strewn all over your lawn next morning after you flipped off your neighbor the fourth time.
Archive today being free doesn’t excuse them using their audience to DDoS someone they don’t like or excuse them from modifying archive content. Also documenting who funds a service is in the public interest.
>Also documenting who funds a service is in the public interest.
Not really, no. It's not unlikely to result in the service ceasing to exist.
Thanks. I am so confused by this social drama, I feel like I am getting too old for this.
It’s truly weird and unhinged the extent to which two rando Internet People are willing to grief each other.
Parasocialweb 2.0 I suppose.
You mean just to keep their secrets hidden they hurt others?
Like most companies or state ?
As an individual, keeping their identity private is the only way to prevent oppression.
well that exposing is hurting more than 2 for sure
While you article is insightful. Can the blog author please redact the actual names and nicks from your orginal blog post (including the exact places where to find the information). As this was discussed below. While I think you had good intentions, but it might be good to also reflect on the rights of that person not be identified.
Edit: I misread the comment initially as from someone with more insight. However, I guess it is obvious that anyone can see the JavaScript and participates involuntarily in the DoS.
What a crazy timeline this has been.
(1) May 04 2019: "Tell HN: Archive.is inaccessible via Cloudflare DNS (1.1.1.1)" [https://news.ycombinator.com/item?id=19828317]
(2) Sep 11 2021: "Does Cloudflare's 1.1.1.1 DNS Block Archive.is? (2019) (jarv.is)" [https://news.ycombinator.com/item?id=28495204]The 1.1.1.1 referred to in the above is Cloudflare's main resolver, 1.1.1.2 & 1.1.1.3 are for those intentionally looking for malware and content blocking.
Otoh, without archive.today a substantial % of HN posts would be unreadable for nearly all of the audience.
I doubt it.
You may have mixed it up with archive.org.
I suggest you double-check that. Archive.today/archive.is is the one which bypasses paywalls and makes unreadable content readable, not archive.org
Archive.is links have not worked for me for over a year. Infinite captcha loop.
Ah! You may well be right. Thanks.
That's bad then, to depend on that for paywall bypass...
I hope very much that the situation evolves into a more satisfactory one.
The DNS tuneling flag alongside C&C/botnet is the odd one — that category implies data exfiltration or firewall bypass, not just aggressive crawling or DDoS behavior. Would be interesting to know what traffic pattern triggered it.
I was wondering about this too. I thought that it could be about it being possible to use archive.today to view sites otherwise blocked via DNS, but web.archive.org[1] doesn't have that flag, so it must be something else.
[1] https://radar.cloudflare.com/domains/domain/web.archive.org
I reported the miscalssification, you can do it as well from the linked page.
Edit: reading some comments here seems that I was too fast, and that the story is much more complicated. Having just the Cloudflare page as a context, I assumed the news were a miscalssification. Could someone share more context on what is going on here?
Cloudflare dns has gone back and forth on whether it wants to resolve them since 2019. It’s taken that away and restored it again (intentionally? mistake?) at least four times.
The c&c/botnet designation would seem to be new though.
As far as I am aware, all previous issues with archive.today and Cloudflare were on account of archive.today taking measures to stop Cloudflare's DNS from correctly resolving their domains, not the other way around.
The current situation is due to Cloudflare flagging archive.today's domains for malicious activity, Cloudflare actually still resolves the domains on their normal 1.1.1.1 DNS, but 1.1.1.2 ("No Malware") now refuses. Exactly why they decided to flag their domains now, over a month after the denial-of-service accusations came out, is unclear, maybe someone here has more information.
Sounds a bit like when "Finland geoblocked archive.today". In all actuality, there was no geoblocking of the site in Finland by any authorities or ISPs, but rather it was the website owner blocking all Finnish IPs after some undisclosed dispute with Finnish border agents. When something bad happens, people seem a bit too willing to give archive.today the benefit of the doubt.
For context, archive.today is angry that Cloudflare won't pass through EDNS - which includes things like your IP address, which archive.today explicitly wants for DNS-based geographical routing. The obvious problem with this is that it would deanonymize all 1.1.1.1 users, at least down to their ISP and probably down to the individual subscriber.
Have they? The thing I remember previously was archive.is, and it wasn’t a block, archive.is was serving intentionally wrong responses to queries from cloudflare’s resolvers.
This is notably not a change to how 1.1.1.1 works, it’s specifically their filtered resolution product.
https://news.ycombinator.com/item?id=19828702
Intentionally, I believe? archive.today iirc has explicitly blocking Cloudflare from resolving them at various times over the years due to Cloudflare DNS withholding requesting-user PII (ip address) in DNS lookups.
Looking forward to when Google Safe Browsing adds their domains as unsafe, as that ripples to Chrome and Firefox users.
> Cloudflare dns has gone back and forth.
Just tells me they are an unreliable resolver. Instead of being a neutral web infra, they actively participate in political agendas and censor things they "think" is wrong.
1. As noted in prior comments, Cloudflare wasn’t blocking this site previously. The site operator chose to make their site unresolvable by Cloudflare.
2. 1.1.1.2, the resolver being discussed in this post, is explicitly Cloudflare’s malware-filtered DNS host. 1.1.1.1 does not filter this site.
If you want "neutral" DNS now, run your own resolver and hope upstreams don't backstab you ltaer, because outsourced trust never come free.
Are there any examples of 1.1.1.1 or 8.8.8.8 not being neutral?
While I fully support this instance, I wonder what else Cloudflare has set to "Censored", apart for the obvious CSAM
1.1.1.2 is their malware-blocking DNS, and 1.1.1.3 is their parental-controls DNS. If you want an unfiltered DNS, use 1.1.1.1 - which resolves archive.today just fine, although archive.today itself refuses to work on Cloudlfare DNS.
> 1.1.1.2 is their malware-blocking DNS, and 1.1.1.3 is their parental-controls DNS. ...
TIL, thank you. Time to go tweak my pi-hole server...
I'm just curious, given all the other options that respect your privacy and don't put data collection at the center of their business model, why do you use Cloudflare on your pi-hole?
> why do you use Cloudflare on your pi-hole?
Because "if it ain't broke, don't fix it." i'm not one of those users who want to endlessly tweak their ad blocker. i want to set it up, clicking as few checkboxes as necessary to get it going, and then leave it. However, (now) knowing that Cloudflare filters different only each of their servers, i'm incentivized to go tweak a number in the config (as opposed to researching the pros and cons of every possible provider, a detail i truly have no interest in pursuing).
If you mean you had 1.1.1.2 as a secondary, and don't want it to have a different configuration, you can use 1.0.0.1 along with 1.1.1.1 instead.
> If you mean you had 1.1.1.2 as a secondary, and don't want it to have a different configuration, you can use 1.0.0.1 along with 1.1.1.1 instead.
i had no clue which one was active. It was, for me, just a checkbox at the time. This thread prompted me to go check and tweak appropriately.
Which options respect your privacy?
I use unbound (recursive resolver), and AdGuard Home as well (just forwards to unbound). Unbound could do ad-blocking itself as well, but it's more cumbersome than in AGH. So I use two tools for the time being.
The upside is there's no single entity receiving all your queries. The downside is there's no encryption (IIRC root servers do not support it), so your ISP sees your queries (but they don't receive them).
I'll throw https://nextdns.io into the mix. Been very happy with it. Supports DOH, block lists, among a plethora of other features.
AdGuard DNS servers are excellent.
The ones where you don't send a single company all of your queries
quad9
what is the vector here? dns traffic is practically anonymous, there would have to be some very specific and purposeful trickery going on to link dns traffic to an identity. It sounds like something more hypothetical than a tangible threat model
It isn't anonymous. DNS server resolve, IP addresses by hostnames. It cannot then inspect further traffic but it certainly can log your IP address and all URL's a given IP ever hit.
Since ISP know your identity, and all it takes is to (request and get) the DNS logs and ISP servitude for all sort of questionable information, you as an identity are giving away all sites domains you visit.
> It cannot then inspect further traffic but it certainly can log your IP address and all URL's a given IP ever hit.
Correction: they can log host names/IPs, not URLs. The path of any given URL is part of the HTTP header, invisible to onlookers (assuming HTTP and assuming HTTPS is uncracked).
I can't edit. That is correct. URLs can't be known to a DNS server. Just the hostname and IP.
Considering that the DNS in question is third-party, that is, it's independent from the ISP. Then the DNS and the ISP will not share data with each other on a routine basis, which would make this concern negligible for every day traffic.
So to simplify, the DNS provider has a map of IPs to Domains visited, while the other hand an ISP has a map of IP addresses to identities.
To even cross-reference the data, the ISP and the DNS provider would need to partner, and violate their privacy guarantees.
At the very least it's obvious that using a separate DNS provider than your ISP's provides additional anonimity by decentralizing your traffic. Although this comes with a tradeoff, having 2 providers increases the odds of partial leaks.
This analysis is so overkill for your personal traffic that it borders tinfoil territory, if we are in a professional setting and are discussing the competitive data of a company or that of thousands of users, then this level of scrutiny is merited, but as-is, separating your DNS provider from your ISP is already very marginal and a bit paranoid. Evaluating the DNS providers to such an extent that a huge security company with good legal standing would somehow qualify as unsafe, for the traffic of one user, I stress, is paralyzingly over-engineering the security of an infrastructure that has already been secured such that users don't need to know what a DNS and how to configure it in order to have safe and private internet.
Imagine going to the bank and asking the teller for a withdrawal but not disclosing the amount and coming up with a mechanism to withdraw without anyone from the bank knowing what you withdrew. Sure, it increases your security, but also come on, what are we doing here?
Hi. If your response involves explaining the very very basics of DNS to someone that clearly knows what DNS is, please consider the possibility that you may have misunderstood them instead of lecturing them on the basics of ubiquitous internet technologies.
I didn't mean to offense. It did seem OP didn't get the IP can be logged, either that or how an IP can reveal identity.
I did some experimenting recently and I'm quite convinced that when I use Comcasts DNS they are selling it to advertisers. I've switched to 1.1.1.1 simply because it annoys me that Comcast is doing this.
How could that experiment work?
> A Cloudflare Ray ID is an identifier given to every request that goes through Cloudflare.
https://developers.cloudflare.com/fundamentals/reference/clo...
if you think a little creatively about how this information could be used by an organization that was created at the insistence of the United States Department of Homeland Security, then you're on the right track.
Today we are one of the lucky 10k
The "censored" part of archive.today seems unrelated to the filtering itself. 1.1.1.3 flags Pornhub.com as "EDE(17): Filtered" but archive.today is "EDE(16): Censored".
Supposedly it should be an external party that's requiring Cloudflare not to publish the DNS record. https://www.rfc-editor.org/rfc/rfc8914.html#name-extended-dn...
I have no idea why anyone would use Cloudflare DNS, much less trust their more filtered versions.
I use cloudflare DNS because it’s faster. But should I worry, having read your comment? What is the downside to using it? What would you recommend instead?
Quad9.
Many years ago I used Cloudflare, and more than once I had issues with them blocking websites I wanted to access.
I absolutely despise that. I want my DNS to resolve domain names, nothing else.
For blocking things I have Pi-Hole, which is under my control for that reason. I can blacklist or whitelist addresses to my needs, not to the whims of a corporation that wants to play gatekeeper to what I can browse.
So… why not use 1.1.1.1, cloudflare’s resolver that does not block resolution?
1.1.1.2 and .3 are explicitly offered with filtered responses.
I used to use 1.1.1.1. I still had issues.
Quad9 behaves exactly as I expect a DNS to work, in the sense that I only remember I use it when the topic of DNS pops up.
Your claim was that 1.1.1.1 was blocking sites.
Are you saying now you just had issues with the quality of service? Or do you want to provide more details to substantiate the claim that they were blocking sites?
No, I do not keep any logs from domain name resolution from the DNS service I used from 7+ years ago. If you do, I commend you.
I used the term "blocking" in a loose sense. I have no idea if Cloudflare was failing to resolve certain domains because it is a shitty service, or if it was ordered to block those domain names by its government, or if it was actively not resolving domain names because it thought a good idea to be a sort of arbiter and gatekeeper. I suspect the last option, but it is just speculation.
What I can affirm is that I had issues more than once with domain name resolution when I used 1.1.1.1. After it annoyed me enough I switched to Quad9, and it has been great ever since, which is why I recommend it as a user of their service.
> I have no idea if Cloudflare was failing to resolve certain domains because it is a shitty service, or if it was ordered to block those domain names by its government, or if it was actively not resolving domain names because it thought a good idea to be a sort of arbiter and gatekeeper.
I'm going to go with option D) whatever shitty site you were browsing to had a broken DNS or more likely DNSSEC configuration and Cloudflare was correct to not serve a corrupt response.
99% of the time, tales of "they're blocking my site! you guys are nazis!" always turn out to have a root cause of broken DNS configuration.
> I'm going to go with option D) whatever shitty site you were browsing to had a broken DNS or more likely DNSSEC configuration and Cloudflare was correct to not serve a corrupt response.
And once I switched DNS I could browse it normally.
This does not align quite well with the scenario you propose.
> "they're blocking my site! you guys are nazis!"
I said no such thing. I said it was a shitty DNS because it failed at the thing I was trying to use it for.
I don’t keep DNS logs at all. But I also don’t show up 7 years later trash talking a company or product based on guesswork and fear.
It's not based in "guesswork and fear". It is a first-person account of someone that used their service. A user review, if you will.
There's this thing - when you offer a service to the public, the users of your service, can, will, and should review your service.
So, yes, I am free to "trash talk" a service that was, frankly, terrible at its job in providing domain name resolution. That works as any other user review, a data point so other users may switch away from a bad provider to a better one.
I imagine if someone goes to a restaurant and they their hot dish is served cold, if your response to the user review is a silly request for proof that the food was indeed served cold, and whining that their review is "trash talking based on fear and guesswork".
If you said that they served you cold food because the US government made them do it, yea, I’d think you were nuts.
And that's not what I said?
I offered some possibilities of why they did a shitty job in providing naming resolution. I even speculated what was the most likely one (not the one you mentioned).
But it's okay, at this point I have very little optimism regarding your reading ability.
Because that would be subject to the whim of the provider, who subject to court orders would have to oblige to continue operating as US entity.
How does that differ from Quad9? You’re subject to Swiss laws, so there’s still a government involved? And you’re now hosted in an area where the US government has far fewer limitations on what they can attempt.
Quad9 is based in Switzerland, but the three founders-sponsors are US-based [0], so I’m not sure if it can be considered 100% safe from US government intervention.
[0] https://quad9.net/about/sponsors/
The ASN and stuff is also operated by a US entity it seems like:
They also have servers in the US, so that's yet another reason not to consider them "100% safe from US government intervention"Also a quick search suggests that Switzerland has made Internet providers in-country block DNS results in the past.
Why give all your queries to a single company with an interest in tracking you and selling your data?
But don’t most ISPs do this? And if you use google’s DNS, for example, are they not doing this? Does cloudflare sell the data?
IMO all the more reason to run your own resolver and not just forward every query to a single entity.
Same thoughts. Cloudflare DNS is noticeably slow to resolve on some of my devices.
Switching to literally any other DNS and the same domains resolve instantly.
Could be a issue specific to my location or devices, but its been consistent enough that I stopped bothering.
I don't use the public resolvers but here [1] is a script that will show which of those public resolvers is fastest from your location. Add or remove resolvers as you desire. Be sure to scroll down to see a few of the sorting examples. Not my script or repo.
Just as a side note: Something I have done with this in the past as a fun experiment was to set up an Unbound DoT server on assorted VPS nodes in assorted locations around the country, run this script and configure each Unbound to use the 5 to 10 fastest servers on each node and cache results longer. Then I used Tinc (open source VPN) to connect to these VPS nodes from my home's Unbound and distribute the requests among all of them. I save query logs from all of them and use cron to look up all my queries hourly to keep the cache fresh and mess up any analytic patterns for my queries. Just a fun experiment. 99.99% of the time I just query the root DNS servers for what NS servers are authoritative for a given domain or what I call bare-backing the internet.
[1] - https://github.com/cleanbrowsing/dnsperftest
I have no idea why anyone would drink water from a faucet, much less trust their more filtered versions.
Good. What archive.today is doing is illegal
Two wrong don’t make a right.
True, but not relevant.
Relevant because Cloudflare manipulated the DNS using a false reasoning
1.1.1.2 blocks malware, and archive.today performs DDOS. Where's the false reasoning?
It‘s not a C&C/Botnet
It is C&C -- it instructs their site visitors to DOS a specific site.
By this logic, all malicious JavaScript (obvious example is cryptominers I guess, assuming no JS sandbox escape) is C&C, yeah? As it "instructs site visitors" to do something harmful locally?
A C&C controls a botnet, where is the botnet?
The browsers of their site visitors.
If you need to be on the site it’s not a botnet and there is no C&C server coordinating the attack. It‘s just the JS on the site that makes the attack.
> If you need to be on the site it’s not a botnet
Why? I did not visit the site to participate in a DoS attack; yet my machine was coaxed into participating against my will. Whether this is happening in JS or a drive-by download or a browser 0-day is irrelevant.
You did participate in archive.today’s DDoS without visiting the site?
How if it‘s JS code in the site?
Does this mean that the Great Cannon of China is not a botnet because it stops working when you close your browser?
Does the Great Cannon of China coordinate the attacks?
Does archive.today?
Hijacking a software like the browser is something completely different to a simple JS on a website.
>Does the Great Cannon of China coordinate the attacks?
Yes.
>Does archive.today?
Yes.
How does archive.today coordinate the attack?
By telling visitor browsers to DoS the site.
That’s not really coordinating.
It’s just a website with a simple request loop, not C&C server tells when the attacks have to happen.
This doesn’t make your browser a bot
Good. You don't get to use my computer for a DDoS. I don't care why the DDoS was happening. I wasn't asked, and that's a serious breach of trust.
Breach of trust by a site whose unstated primary purpose is bypassing paywalls and ripping off content?
20 years ago during the P2P heyday this was assumed to come with the territory. Play with fire and you could get burned.
If you walk into a seedy brothel in the developing world, your first thought should be "I might get drugged and robbed here" and not what you're going to type in the Yelp review later about their lack of ethics.
Well if we are going to use this analogy, 20 years ago virus scanners also flagged malicious stuff from p2p as a virus, and people still thought putting malicious content on p2p was a shitty thing for someone to do (even if it was somewhat expected).
Nobody was shedding any tears 20 years ago for the virus makers who had their viruses flagged by virus scanners.
Given they are retroactively tampering with past archives it's not exactly trustworhy in the first place
Are they tampering with the actual content, or the stuff (login ui, etc) which they have always been open about tampering with?
Content. https://arstechnica.com/tech-policy/2026/02/wikipedia-bans-a...
Proof?
https://arstechnica.com/tech-policy/2026/02/wikipedia-bans-a...
That doesn't say anything about them tapering with archive content
Yes it does. The last section of the article.
https://megalodon.jp/2026-0219-1634-10/https://archive.ph:44...
This is an archive of an Archive.is archive of a blog post. The first sentence of the post says “ Jani Patokallio was a woman of exceptional intellect…” This was changed, it originally had someone else’s name (see second paragraph). So, who knows what other archived pages were changed?
I always thought that mainstream media sites with paywalls were pretty far down there in the tier list of websites though. Not sure if this analogy lands unless irony was the goal.
I trust websites not to involve me in crime. I trust news websites to tell me the news. I trust archive websites to give me old versions of websites. I trust paywall circumvention websites to circumvent paywalls.
What I do not see is the irony you insinuate in your post. It is not immoral to charge people for content, nor does that make you less credible. (It might even make you more credible since you now earn money by having happy customers instead of serving more ads.)
Some news sources are not trustworthy but that's independent of there being a paywall.
It amazes me that people still use and recommend Cloudflare's DNS servers for resolution. Cloudflare DNS does not support EDNS Client Subnet. As a result, DNS queries resolved by their service are likely to return IP addresses for many CDNs that are physically farther away from you, leading to a slower internet browsing and viewing experience.
Sacrificing performance for a faster lookup time makes no sense in 2026. This is the one area where I continue to use Google DNS as it just works. Use anything but Cloudflare in this case, please.
Parent pro-tip: Next time the iPad is having Bluey episode playback issues, check to see if you're actually using Cloudflare DNS.
Without ECS, the CDN will default to the closest one to the resolver, and cloudflare has resolvers in all major cities.
Given that the vast majority of us live in or near a major city, it means that your vaguely gloom and doom commentary doesn't apply.
If you live in the boondocks or if CDN matching misbehaves for some reason, by all means run benchmarks!
But all other things being equal, Cloudflare's privacy policy is better than Google's.
quad9 dnscrypt for the win
https://quad9.net/service/service-addresses-and-features/
When the heat dies down, hopefully this flag gets removed.
Why? It’s accurate and if the owner has chosen to do this for months now, why should we ever trust they won’t again? Nobody should ever use that site and every optional filter should block them.
There's probably a worthwhile discussion to be had about what it takes for a site in this situation to be removed from blocklists. An apology? Surrender to authorities? Halting the malicious activity for a certain period of time?
Regardless, another user reports the attack is still ongoing[1], so this isn't a discussion that's going to happen about archive.today anytime soon.
[1] https://news.ycombinator.com/item?id=47474777
I suppose “evidence that the site’s leadership has permanently changed” would convince me. Whoever decided to put in the code that causes visitors to DDOS someone should never be running a web site again.
So, in your mind, there is no way for an individual owning archive.today to recover from this?
I mean, probably not. Maybe if they posted a public apology (an actual one, not a 'I'm sorry I was caught' one), listed the steps that they would take to ensure it doesn't happen again and how the fact that they weren't doing it could be publicly verified.
They've shown they're willing to deliberately weaponize their users to fight a personal dispute with someone, and didn't take corrective action when called out. Trustworthiness is something you lose and don't get back.
If there was an apology it could be considered, depending on the apology (i.e. is it earnest?). But so far that does not seem to happen.
Also, they were caught tampering saved webpages as well, so the website cannot be trusted to fulfill it's main purpose anymore: https://arstechnica.com/tech-policy/2026/02/wikipedia-bans-a...
>Why?
Because once the problematic content is removed it should no longer be blocked.
>It's accurate
It is neither a C&C server for a botnet, nor any other server related to a botnet. I would not call it accurate.
>Nobody should ever use that site
It has a good reputation for archiving sites, has stead the test of time, and doesn't censor pages like archive.org does allowing you to actually see the history of news articles instead of them being deleted like archive.org does on occasion.
The site started doctoring archived versions as part of the petty feud. That is, what was supposed to be a historical record, suddenly had content manipulated so as to feed into this fight[0]. There is no redemption. You want to be an archive, you keep it sacrosanct. Put an obvious hosting-site banner overlay if you must, but manipulating the archive is a red-line that was crossed.
[0] https://en.wikipedia.org/wiki/Archive.todayThat line of argument is rather misleading, as some kind of content manipulation is inherent to the service an archive that violates paywalls has to provide. It needs to conceal the accounts it uses to access these websites, and their names and traces are often on the pages it's archiving.
Did AT go beyond that and manipulate any relevant part? That's rather difficult to say now. AT is obviously tampering with evidence, but so is Wikipedia; their admins have heavily redacted their archived Talk pages out of fear one of these pseudonyms might be an actual person, so even what exactly WP accuses AT of is not exactly clear.
While I disagree with that action I still trust the site as a reliable source. Redemption is possible. Maybe not for Wikipedia, but I don't care about that site and consider it rotten.
It's not just problematic content, it's criminal behavior. And the site has a bad reputation for archival, given that the owner altered the content of archived articles.
>It's not just problematic content, it's criminal behavior.
How is that supposed to be a big deal when the one of core services archive.today provides is obviously illegal anyway?
I'm not sure how illegal copyright violations really are, given that all major tech companies are doing it. DDoS attacks, on the other hand, are pretty clear-cut.
I also think "but they also do that other crime" doesn't help their case.
I think the DDoS is clearly problematic, I just don't think it's problematic because it's criminal.
It's problematic because it's childish and pointlessly degrades the user experience.
The site commits copyright infringement by showing you content it doesn't have the rights for. This is not the kind of site to go on about morals for.
>the site has a bad reputation
Not compared to archive.org. archive.is has a much better track record.
I'm not sure whether you're making a joke or confusing the two websites.
You’re just not at all familiar with the subject.
Archive.org is awful. It allows site owners and random third parties to edit old archived pages.
Archive.today does not.
Is it that much better that Archive.today reserves the right to edit old archived pages for the owner whenever they have a petty grudge with someone?
At least site owners have the copyright on the pages that Archive.org saves. They can just get the content pulled through DMCA anyway.
Folks keep saying this
Do you actually mean edit or do you just mean delete
Both are problematic, but falsifying a historic record is orders of magnitude worse than deleting one, and conflating them would be extremely dishonest
Archive.org lets archived pages pull in JavaScript from the non-archived internet, so it’s only trustworthy if viewed with JavaScript disabled.
It is in fact a botnet - they’ve been hijacking user browsers to act as a botnet to DDoS.
Are Hacker News users part of a botnet since they link to sites that when people click they go down due to all of the traffic? Am I part of a botnet if I have HN open as it means HN can execute javascript? I think it's stretching the definition.
Hacker News absolutely would be if it was making those requests to random sites that the user doesn’t know about, and have no reason to be making requests to other than attacking them.
I suppose if all the users go on the site intentionally wanting to take part in a DDoS, then sure it’s not a botnet. But that’s not reality.
Because it's not the place of a DNS resolver to police the internet.
1.1.1.1 is simply a free DNS, 1.1.1.2 blocks malware, and 1.1.1.3 blocks both malware and adult content. It's a service that does exactly what it's supposed to do.
If I specifically choose a DNS server that promises to not resolve sites that will use my computer in a botnet, then it is that DNS resolver’s place to do that.
This particular revolver is an opt-in service for users that want Cloudflare to block anything that Cloudflare designates as malware.
Literally what the product is here.
Unlikely unless their behaviour changes.
They arent being flagged because of the attention.
Of course, they want to shut down the only good archive site. See, if you can save things it prevents editing and can bypass paywalls.
Cant have that.
Now, show me your ID to login to your Linux box.
The owner of archive.is modifies contents of articles already so I hope you’re not actually depending on it as an archive. It’s a paywall escape hatch not an archive site.
I, for one, completely trust Cloudflare on this one. The guys running a MiTM attack on a substantial chunk of all global internet traffic, and working tirelessly to ensure billions of people behind CGNAT in the global south can't access the free and open web are the premiere experts on malicious, predatory, harmful internet-scale network behavior, after all.
Cloudflare considered harmful
They aren’t wrong. They’re literally using scripts on their site in an attempt to DDoS a blog which (partially?) de-anonymized the archive.today operator.
Bulletproof hosting service not happy that someone is running their C&C infrastructure elsewhere