Cloudflare flags archive.today as "C&C/Botnet"; no longer resolves via 1.1.1.2 (radar.cloudflare.com)
303 points by winkelmann 16 hours ago
winkelmann 16 hours ago
"archive.today is currently categorized as: * CIPA Filter * Reference * Command and Control & Botnet * DNS Tunneling"
Ditto for their other domains like archive.is and archive.ph
Example DoH request:
$ curl -s "https://1.1.1.2/dns-query?name=archive.is&type=A" -H "accept: application/dns-json"
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"archive.is","type":1}],"Answer":[{"name":"archive.is","type":1,"TTL":60,"data":"0.0.0.0"}],"Comment":["EDE(16): Censored"]}
---
Relevant HN discussions:
https://news.ycombinator.com/item?id=46843805 "Archive.today is directing a DDoS attack against my blog"
https://news.ycombinator.com/item?id=47092006 "Wikipedia deprecates Archive.today, starts removing archive links"
https://news.ycombinator.com/item?id=46624740 "Ask HN: Weird archive.today behavior?" - Post about the script used to execute the denial-of-service attack
Wikipedia page on deprecating and replacing archive.today links:
https://en.wikipedia.org/wiki/Wikipedia:Archive.today_guidan...
simonw 5 minutes ago
Thanks for that, I didn't know about that API - which it turns out has open CORS headers so you can call it from JavaScript.
I now have my dream DNS lookup web tool! https://tools.simonwillison.net/dns#d=news.ycombinator.com&t...
rollulus 12 hours ago
I think there are two angles to look at this. Yes, there’s the attack on the weblog. But there’s also pressure on archive.today, e.g. an FBI investigation [1] and some entity using fictitious CSAM allegations [2].
[1]: https://arstechnica.com/tech-policy/2025/11/fbi-subpoena-tri...
[2]: https://adguard-dns.io/en/blog/archive-today-adguard-dns-blo...
JasonADrury 11 hours ago
Jani Patokallio who runs gyrovague.com published a blog post attempting to dox the owner of archive.today.
Jani justifies his doxing as follows "I found it curious that we know so little about this widely-used service, so I dug into it" [1]
Archive.today on the other hand is a charitable archival project offered to the public for free. The operator of Archive.today risks significant legal liability, but still offers this service for free.
[1]: https://gyrovague.com/2026/02/01/archive-today-is-directing-...
It's weird to see people getting fixated on the DDoS, which is obviously far less nasty than actually attempting to dox someone. The only credible reason for Jani to publish something like this is if he desires to cause physical harm to the operator of archive.today
Or are we just looking at an unhinged fan stalking their favorite online celebrity?
People were critical of the Banksy piece, but this is much nastier. At least Banksy is a huge business, archive.today does not even make money.
dddgghhbbfblk 2 hours ago
>It's weird to see people getting fixated on the DDoS, which is obviously far less nasty than actually attempting to dox someone.
I would say the opposite... The DDoS is pretty obviously ridiculous, completely unacceptable, and entirely indefensible, while the blog post seems like whatever.
I honestly cannot fathom defending using your popular website as a tool to DDoS someone you have personal beef with, without the consent of the DDoSing participants.
Mogzol 9 hours ago
All your comments are painting archive.today as an innocent victim in all this, but in addition to the DDoS, they have been caught modifying archived pages as well as sending actual threats to Patokallio [1] which in my opinion seem far worse than the "doxxing".
Just the fact alone that they modified archived pages has completely ruined their credibility, and over what? A blog post about them that (a) wasn't even an attack, it is mostly praising archive.today, and (b) doesn't reveal any true identities or information that isn't already easily accessible.
From my perspective at least, archive.today seems like the unhinged one, not Patokallio.
[1] https://arstechnica.com/tech-policy/2026/02/wikipedia-bans-a...
gyrovague-com 9 hours ago
Jani here. What you describe as "doxxing" consisted of a) a whois lookup for archive.is and b) linking to a StackExchange post from 2020 called "Who owns archive.today" [1]. There is literally no new information about the site's owner in the post, all names have been dug up before and are clearly aliases, and the post states as much.
[1] https://webapps.stackexchange.com/questions/145817/who-owns-...
thomassmith65 9 hours ago
croes 9 hours ago
unethical_ban 3 hours ago
JasonADrury 8 hours ago
Aurornis 20 minutes ago
> It's weird to see people getting fixated on the DDoS,
The weird part to me is that some people are seemingly trying to downplay a popular website abusing visitors to DDoS someone.
Two wrongs don’t make a right. Feeling wronged by someone doesn’t give you freedom to abuse every visitor to your website to DDoS someone else.
dgxyz 10 hours ago
I'm wondering if Jani is possibly going to walk into the wrong party here and get burned. I did some public archival stuff about a decade ago and it was state sponsored and for the intelligence community. I'm not suggesting this is but it'll be very much of interest to competing intelligence services as it's an information control point. None of those are the sort of people you start pissing off by sticking your dick in it. FBI is likely just one of the actors here.
derefr 10 hours ago
KronisLV 8 hours ago
> It's weird to see people getting fixated on the DDoS, which is obviously far less nasty than actually attempting to dox someone.
Why even do that, then? Why not just make a public post of theirs like: "Hey, here's someone trying to doxx me, and here's the unfair and fictitious bullshit the lying government is trying to pin on me. Here's all the facts, decide for yourselves."
Why do something as childish as DDoSing someone which takes away any basic good will and decency/respect you might have had in the eyes of many?
That way, it'd also be way more clear whether attempts at censorship are motivated by them acting as a bad actor, or some sort of repression and censorship thing.
I don't really have a horse in this race, but it sounds like lashing out to one own's detriment.
eipi10_hn 2 hours ago
Don't use my computer to DDoS others please. That's nastier than the shallow post of that article.
rdevilla 11 hours ago
Perhaps Mr. Patokallio would like the same scrutiny applied to his own life now - it's only fair, and we have the technology.
rcakebread 10 hours ago
Hamuko 10 hours ago
So the two angles are that archive.today is doing something illegal and also being investigated by American law enforcement?
expedition32 8 hours ago
I suppose an argument can be made that archive infringes copyright.
Hell I use it to circumvent paywalls.
windexh8er 2 hours ago
So, if that's the case we can get all frontier provider sites marked as such as well?
f-serif 11 hours ago
A bit context if you are confused why Public DNS server blocking websites. 1.1.1.2 is Malware blocking DNS server similar to AdBlock DNS server. It is not 1.1.1.1 and 1.0.0.1
Here is the DDoS context https://gyrovague.com
apaprocki an hour ago
And for parents: 1.1.1.3 blocks adult content :)
swrobel 2 hours ago
For some reason I thought 1.1.1.1/1.0.0.1 already wouldn’t resolve archive.[today|is|ph] anyway
roywiggins 2 hours ago
1vuio0pswjnm7 3 hours ago
Some time ago, probably at least a year, likely more, I read a blog post by someone working for Google in Europe who loved using Archive.today and out of curiosity tried to determine who was running it. In the end he gave up, offered to buy the operator a beer or something like that, but if I recall correctly he went to even greater lengths in his research than the blogger discussed in this thread
I wish I could find it
stuffoverflow 14 hours ago
Archive.today's attack on https://gyrovague.com is still on-going btw. It started just over two months ago. Some IPs get through normally but for example finnish residential IPs get stuck on endless captchas. The JS snippet that starts spamming gyrovague appears after solving the first captcha.
winkelmann 13 hours ago
I'm not a web developer, but I've picked up some bits of knowledge here and there, mostly from troubleshooting issues I encounter while using websites.
I know there are a number of headers used to control cross-site access to websites, and the linked blog post shows archive.today's denial-of-service script sending random queries to the site's search function. Shouldn't there be a way to prevent those from running when they're requested from within a third-party site?
sheept 12 hours ago
You can't completely prevent the browser from sending the request—after all, it needs to figure out whether to block the website from reading the response.
However, browsers will first send a preflight request for non-simple requests before sending the actual request. If the DDOS were effective because the search operation was expensive, then the blog could put search behind a non-simple request, or require a valid CSRF token before performing the search.
bawolff 12 hours ago
> I know there are a number of headers used to control cross-site access to websites
Mostly these headers are designed around preventing reading content. Sending content generally does not require anything.
(As a kind of random tidbit, this is why csrf tokens are a thing, you can't prevent sending so websites test to see if you were able to read the token in a previous request)
This is partially historical. The rough rule is if it was possible to make the request without javascript then it doesn't need any special headers (preflight)
dawnerd 2 hours ago
I get the endless captcha with a Southern California ip. Something emus either very broken or malicious.
Anonyneko 3 hours ago
I've been getting the endless captcha on my Finnish residential IPs, but I've also been getting that (or outright timeouts) when using VPNs, so I cannot use the site altogether. I wish there were alternatives.
throwingcookies 13 hours ago
Why is archive today attacking that website?
nailer 13 hours ago
The linked blog contains a story about who funds archive today and they presumably don’t like being exposed.
JasonADrury 11 hours ago
throwingcookies 13 hours ago
steveharing1 10 hours ago
VERIRoot 12 hours ago
riedel 9 hours ago
While you article is insightful. Can the blog author please redact the actual names and nicks from your orginal blog post (including the exact places where to find the information). As this was discussed below. While I think you had good intentions, but it might be good to also reflect on the rights of that person not be identified.
Edit: I misread the comment initially as from someone with more insight. However, I guess it is obvious that anyone can see the JavaScript and participates involuntarily in the DoS.
GTP 2 hours ago
I reported the miscalssification, you can do it as well from the linked page.
Edit: reading some comments here seems that I was too fast, and that the story is much more complicated. Having just the Cloudflare page as a context, I assumed the news were a miscalssification. Could someone share more context on what is going on here?
kmfrk 5 hours ago
What a crazy timeline this has been.
(1) May 04 2019: "Tell HN: Archive.is inaccessible via Cloudflare DNS (1.1.1.1)" [https://news.ycombinator.com/item?id=19828317]
eastdakota on May 4, 2019 on: Tell HN: Archive.is inaccessible via Cloudflare DNS...
[Via https://news.ycombinator.com/item?id=19828702]
We don’t block archive.is or any other domain via 1.1.1.1. Doing so, we believe, would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service.
Archive.is’s authoritative DNS servers return bad results to 1.1.1.1 when we query them. I’ve proposed we just fix it on our end but our team, quite rightly, said that too would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service.
The archive.is owner has explained that he returns bad results to us because we don’t pass along the EDNS subnet information. This information leaks information about a requester’s IP and, in turn, sacrifices the privacy of users. This is especially problematic as we work to encrypt more DNS traffic since the request from Resolver to Authoritative DNS is typically unencrypted. We’re aware of real world examples where nationstate actors have monitored EDNS subnet information to track individuals, which was part of the motivation for the privacy and security policies of 1.1.1.1.
EDNS IP subsets can be used to better geolocate responses for services that use DNS-based load balancing. However, 1.1.1.1 is delivered across Cloudflare’s entire network that today spans 180 cities. We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results. For a relatively small operator like archive.is, there would be no loss in geo load balancing fidelity relying on the location of the Cloudflare PoP in lieu of EDNS IP subnets.
We are working with the small number of networks with a higher network/ISP density than Cloudflare (e.g., Netflix, Facebook, Google/YouTube) to come up with an EDNS IP Subnet alternative that gets them the information they need for geolocation targeting without risking user privacy and security. Those conversations have been productive and are ongoing. If archive.is has suggestions along these lines, we’d be happy to consider them.
zamadatix 5 hours ago
The 1.1.1.1 referred to in the above is Cloudflare's main resolver, 1.1.1.2 & 1.1.1.3 are for those intentionally looking for malware and content blocking.
jeremie_strand 8 hours ago
The DNS tuneling flag alongside C&C/botnet is the odd one — that category implies data exfiltration or firewall bypass, not just aggressive crawling or DDoS behavior. Would be interesting to know what traffic pattern triggered it.
winkelmann 3 hours ago
I was wondering about this too. I thought that it could be about it being possible to use archive.today to view sites otherwise blocked via DNS, but web.archive.org[1] doesn't have that flag, so it must be something else.
[1] https://radar.cloudflare.com/domains/domain/web.archive.org
breppp 12 hours ago
While I fully support this instance, I wonder what else Cloudflare has set to "Censored", apart for the obvious CSAM
Kwpolska 10 hours ago
1.1.1.2 is their malware-blocking DNS, and 1.1.1.3 is their parental-controls DNS. If you want an unfiltered DNS, use 1.1.1.1 - which resolves archive.today just fine, although archive.today itself refuses to work on Cloudlfare DNS.
sgbeal 10 hours ago
> 1.1.1.2 is their malware-blocking DNS, and 1.1.1.3 is their parental-controls DNS. ...
TIL, thank you. Time to go tweak my pi-hole server...
arvid-lind 9 hours ago
TZubiri 8 hours ago
Hamuko 9 hours ago
The "censored" part of archive.today seems unrelated to the filtering itself. 1.1.1.3 flags Pornhub.com as "EDE(17): Filtered" but archive.today is "EDE(16): Censored".
Supposedly it should be an external party that's requiring Cloudflare not to publish the DNS record. https://www.rfc-editor.org/rfc/rfc8914.html#name-extended-dn...
surgical_fire 9 hours ago
I have no idea why anyone would use Cloudflare DNS, much less trust their more filtered versions.
saaaaaam 9 hours ago
8cvor6j844qw_d6 8 hours ago
ranger_danger 5 hours ago
PeterStuer 12 hours ago
Otoh, without archive.today a substantial % of HN posts would be unreadable for nearly all of the audience.
henearkr 11 hours ago
I doubt it.
You may have mixed it up with archive.org.
JasonADrury 11 hours ago
I suggest you double-check that. Archive.today/archive.is is the one which bypasses paywalls and makes unreadable content readable, not archive.org
henearkr 10 hours ago
razingeden 15 hours ago
Cloudflare dns has gone back and forth on whether it wants to resolve them since 2019. It’s taken that away and restored it again (intentionally? mistake?) at least four times.
The c&c/botnet designation would seem to be new though.
winkelmann 14 hours ago
As far as I am aware, all previous issues with archive.today and Cloudflare were on account of archive.today taking measures to stop Cloudflare's DNS from correctly resolving their domains, not the other way around.
The current situation is due to Cloudflare flagging archive.today's domains for malicious activity, Cloudflare actually still resolves the domains on their normal 1.1.1.1 DNS, but 1.1.1.2 ("No Malware") now refuses. Exactly why they decided to flag their domains now, over a month after the denial-of-service accusations came out, is unclear, maybe someone here has more information.
Hamuko 13 hours ago
Sounds a bit like when "Finland geoblocked archive.today". In all actuality, there was no geoblocking of the site in Finland by any authorities or ISPs, but rather it was the website owner blocking all Finnish IPs after some undisclosed dispute with Finnish border agents. When something bad happens, people seem a bit too willing to give archive.today the benefit of the doubt.
kmeisthax 2 hours ago
For context, archive.today is angry that Cloudflare won't pass through EDNS - which includes things like your IP address, which archive.today explicitly wants for DNS-based geographical routing. The obvious problem with this is that it would deanonymize all 1.1.1.1 users, at least down to their ISP and probably down to the individual subscriber.
akerl_ 14 hours ago
Have they? The thing I remember previously was archive.is, and it wasn’t a block, archive.is was serving intentionally wrong responses to queries from cloudflare’s resolvers.
This is notably not a change to how 1.1.1.1 works, it’s specifically their filtered resolution product.
altairprime 15 hours ago
Intentionally, I believe? archive.today iirc has explicitly blocking Cloudflare from resolving them at various times over the years due to Cloudflare DNS withholding requesting-user PII (ip address) in DNS lookups.
Looking forward to when Google Safe Browsing adds their domains as unsafe, as that ripples to Chrome and Firefox users.
vachina 11 hours ago
> Cloudflare dns has gone back and forth.
Just tells me they are an unreliable resolver. Instead of being a neutral web infra, they actively participate in political agendas and censor things they "think" is wrong.
akerl_ 9 hours ago
1. As noted in prior comments, Cloudflare wasn’t blocking this site previously. The site operator chose to make their site unresolvable by Cloudflare.
2. 1.1.1.2, the resolver being discussed in this post, is explicitly Cloudflare’s malware-filtered DNS host. 1.1.1.1 does not filter this site.
hrmtst93837 8 hours ago
If you want "neutral" DNS now, run your own resolver and hope upstreams don't backstab you ltaer, because outsourced trust never come free.
akerl_ 7 hours ago
lagniappe an hour ago
Cloudflare considered harmful
landr0id an hour ago
They aren’t wrong. They’re literally using scripts on their site in an attempt to DDoS a blog which (partially?) de-anonymized the archive.today operator.
bunbun69 9 hours ago
Good. What archive.today is doing is illegal
croes 9 hours ago
Two wrong don’t make a right.
Cytobit 8 hours ago
True, but not relevant.
croes 8 hours ago
_moof 14 hours ago
Good. You don't get to use my computer for a DDoS. I don't care why the DDoS was happening. I wasn't asked, and that's a serious breach of trust.
longislandguido 12 hours ago
Breach of trust by a site whose unstated primary purpose is bypassing paywalls and ripping off content?
20 years ago during the P2P heyday this was assumed to come with the territory. Play with fire and you could get burned.
If you walk into a seedy brothel in the developing world, your first thought should be "I might get drugged and robbed here" and not what you're going to type in the Yelp review later about their lack of ethics.
bawolff 12 hours ago
Well if we are going to use this analogy, 20 years ago virus scanners also flagged malicious stuff from p2p as a virus, and people still thought putting malicious content on p2p was a shitty thing for someone to do (even if it was somewhat expected).
Nobody was shedding any tears 20 years ago for the virus makers who had their viruses flagged by virus scanners.
kay_o 12 hours ago
Given they are retroactively tampering with past archives it's not exactly trustworhy in the first place
JasonADrury 11 hours ago
vachina 11 hours ago
Nuzzerino 12 hours ago
I always thought that mainstream media sites with paywalls were pretty far down there in the tier list of websites though. Not sure if this analogy lands unless irony was the goal.
jojomodding 2 hours ago
acejam 2 hours ago
It amazes me that people still use and recommend Cloudflare's DNS servers for resolution. Cloudflare DNS does not support EDNS Client Subnet. As a result, DNS queries resolved by their service are likely to return IP addresses for many CDNs that are physically farther away from you, leading to a slower internet browsing and viewing experience.
Sacrificing performance for a faster lookup time makes no sense in 2026. This is the one area where I continue to use Google DNS as it just works. Use anything but Cloudflare in this case, please.
Parent pro-tip: Next time the iPad is having Bluey episode playback issues, check to see if you're actually using Cloudflare DNS.
anonym29 an hour ago
I, for one, completely trust Cloudflare on this one. The guys running a MiTM attack on a substantial chunk of all global internet traffic, and working tirelessly to ensure billions of people behind CGNAT in the global south can't access the free and open web are the premiere experts on malicious, predatory, harmful internet-scale network behavior, after all.
ck2 3 hours ago
quad9 dnscrypt for the win
https://quad9.net/service/service-addresses-and-features/
Secured w/ECS: Malware blocking, DNSSEC Validation, ECS enabled
IPv4
9.9.9.11
149.112.112.11
IPv6
2620:fe::11
2620:fe::fe:11
HTTPS
https://dns11.quad9.net/dns-query
TLS
tls://dns11.quad9.netcharcircuit 14 hours ago
When the heat dies down, hopefully this flag gets removed.
dydgbxx 14 hours ago
Why? It’s accurate and if the owner has chosen to do this for months now, why should we ever trust they won’t again? Nobody should ever use that site and every optional filter should block them.
winkelmann 14 hours ago
There's probably a worthwhile discussion to be had about what it takes for a site in this situation to be removed from blocklists. An apology? Surrender to authorities? Halting the malicious activity for a certain period of time?
Regardless, another user reports the attack is still ongoing[1], so this isn't a discussion that's going to happen about archive.today anytime soon.
ryandrake 13 hours ago
jojomodding 2 hours ago
leonidasv 12 hours ago
Also, they were caught tampering saved webpages as well, so the website cannot be trusted to fulfill it's main purpose anymore: https://arstechnica.com/tech-policy/2026/02/wikipedia-bans-a...
charcircuit 13 hours ago
>Why?
Because once the problematic content is removed it should no longer be blocked.
>It's accurate
It is neither a C&C server for a botnet, nor any other server related to a botnet. I would not call it accurate.
>Nobody should ever use that site
It has a good reputation for archiving sites, has stead the test of time, and doesn't censor pages like archive.org does allowing you to actually see the history of news articles instead of them being deleted like archive.org does on occasion.
3eb7988a1663 13 hours ago
InsideOutSanta 13 hours ago
gbear605 13 hours ago
quotemstr 13 hours ago
Because it's not the place of a DNS resolver to police the internet.
qzzi 13 hours ago
ryandrake 13 hours ago
dqh 13 hours ago
bawolff 11 hours ago
bawolff 11 hours ago
Unlikely unless their behaviour changes.
They arent being flagged because of the attention.
heraldgeezer 2 hours ago
Of course, they want to shut down the only good archive site. See, if you can save things it prevents editing and can bypass paywalls.
Cant have that.
Now, show me your ID to login to your Linux box.
andor 12 hours ago
Bulletproof hosting service not happy that someone is running their C&C infrastructure elsewhere