Cloudflare flags archive.today as "C&C/Botnet"; no longer resolves via 1.1.1.2

Posted by winkelmann 17 hours ago

Cloudflare flags archive.today as "C&C/Botnet"; no longer resolves via 1.1.1.2(radar.cloudflare.com)

305 points | 230 commentspage 2

razingeden 16 hours ago|

Cloudflare dns has gone back and forth on whether it wants to resolve them since 2019. It’s taken that away and restored it again (intentionally? mistake?) at least four times.

The c&c/botnet designation would seem to be new though.

winkelmann 15 hours ago||

As far as I am aware, all previous issues with archive.today and Cloudflare were on account of archive.today taking measures to stop Cloudflare's DNS from correctly resolving their domains, not the other way around.

The current situation is due to Cloudflare flagging archive.today's domains for malicious activity, Cloudflare actually still resolves the domains on their normal 1.1.1.1 DNS, but 1.1.1.2 ("No Malware") now refuses. Exactly why they decided to flag their domains now, over a month after the denial-of-service accusations came out, is unclear, maybe someone here has more information.

Hamuko 14 hours ago|||

Sounds a bit like when "Finland geoblocked archive.today". In all actuality, there was no geoblocking of the site in Finland by any authorities or ISPs, but rather it was the website owner blocking all Finnish IPs after some undisclosed dispute with Finnish border agents. When something bad happens, people seem a bit too willing to give archive.today the benefit of the doubt.

kmeisthax 3 hours ago|||

For context, archive.today is angry that Cloudflare won't pass through EDNS - which includes things like your IP address, which archive.today explicitly wants for DNS-based geographical routing. The obvious problem with this is that it would deanonymize all 1.1.1.1 users, at least down to their ISP and probably down to the individual subscriber.

akerl_ 15 hours ago|||

Have they? The thing I remember previously was archive.is, and it wasn’t a block, archive.is was serving intentionally wrong responses to queries from cloudflare’s resolvers.

This is notably not a change to how 1.1.1.1 works, it’s specifically their filtered resolution product.

https://news.ycombinator.com/item?id=19828702

altairprime 16 hours ago|||

Intentionally, I believe? archive.today iirc has explicitly blocking Cloudflare from resolving them at various times over the years due to Cloudflare DNS withholding requesting-user PII (ip address) in DNS lookups.

Looking forward to when Google Safe Browsing adds their domains as unsafe, as that ripples to Chrome and Firefox users.

vachina 12 hours ago||

> Cloudflare dns has gone back and forth.

Just tells me they are an unreliable resolver. Instead of being a neutral web infra, they actively participate in political agendas and censor things they "think" is wrong.

akerl_ 10 hours ago|||

1. As noted in prior comments, Cloudflare wasn’t blocking this site previously. The site operator chose to make their site unresolvable by Cloudflare.

2. 1.1.1.2, the resolver being discussed in this post, is explicitly Cloudflare’s malware-filtered DNS host. 1.1.1.1 does not filter this site.

hrmtst93837 9 hours ago|||

If you want "neutral" DNS now, run your own resolver and hope upstreams don't backstab you ltaer, because outsourced trust never come free.

akerl_ 8 hours ago||

Are there any examples of 1.1.1.1 or 8.8.8.8 not being neutral?

lagniappe 2 hours ago||

Cloudflare considered harmful

landr0id 2 hours ago|

They aren’t wrong. They’re literally using scripts on their site in an attempt to DDoS a blog which (partially?) de-anonymized the archive.today operator.

bunbun69 10 hours ago||

Good. What archive.today is doing is illegal

croes 9 hours ago|

Two wrong don’t make a right.

Cytobit 9 hours ago|||

True, but not relevant.

croes 9 hours ago||

Relevant because Cloudflare manipulated the DNS using a false reasoning

cuu508 9 hours ago||

1.1.1.2 blocks malware, and archive.today performs DDOS. Where's the false reasoning?

croes 7 hours ago||

It‘s not a C&C/Botnet

cuu508 7 hours ago||

It is C&C -- it instructs their site visitors to DOS a specific site.

croes 6 hours ago||

A C&C controls a botnet, where is the botnet?

cuu508 6 hours ago||

The browsers of their site visitors.

croes 6 hours ago||

If you need to be on the site it’s not a botnet and there is no C&C server coordinating the attack. It‘s just the JS on the site that makes the attack.

jojomodding 3 hours ago|||

> If you need to be on the site it’s not a botnet

Why? I did not visit the site to participate in a DoS attack; yet my machine was coaxed into participating against my will. Whether this is happening in JS or a drive-by download or a browser 0-day is irrelevant.

croes 3 hours ago||

You did participate in archive.today’s DDoS without visiting the site?

How if it‘s JS code in the site?

Hamuko 4 hours ago|||

Does this mean that the Great Cannon of China is not a botnet because it stops working when you close your browser?

croes 3 hours ago||

Does the Great Cannon of China coordinate the attacks?

Does archive.today?

Hijacking a software like the browser is something completely different to a simple JS on a website.

Hamuko 3 hours ago||

>Does the Great Cannon of China coordinate the attacks?

Yes.

>Does archive.today?

Yes.

croes 2 hours ago||

How does archive.today coordinate the attack?

fastball 1 hour ago||

By telling visitor browsers to DoS the site.

croes 26 minutes ago||

That’s not really coordinating.

It’s just a website with a simple request loop, not C&C server tells when the attacks have to happen.

This doesn’t make your browser a bot

  setInterval(function() {
            fetch("https://gyrovague.com/?s=" + Math.random().toString(36).substring(2, 3 + Math.random() * 8), {
                referrerPolicy: "no-referrer",
                mode: "no-cors"
            });
        }, 300);

_moof 15 hours ago||

Good. You don't get to use my computer for a DDoS. I don't care why the DDoS was happening. I wasn't asked, and that's a serious breach of trust.

rdevilla 15 hours ago||

[flagged]

winkelmann 14 hours ago||

Call me naive, but I still believe that people generally disapprove of their internet connection being abused to conduct cyber-attacks.

rdevilla 14 hours ago||

There are many things people disapprove of that others will unilaterally visit upon them anyway. This is the world of 2026. It's not a normative claim but a descriptive one of the reality we live in today.

longislandguido 13 hours ago||

Breach of trust by a site whose unstated primary purpose is bypassing paywalls and ripping off content?

20 years ago during the P2P heyday this was assumed to come with the territory. Play with fire and you could get burned.

If you walk into a seedy brothel in the developing world, your first thought should be "I might get drugged and robbed here" and not what you're going to type in the Yelp review later about their lack of ethics.

bawolff 12 hours ago|||

Well if we are going to use this analogy, 20 years ago virus scanners also flagged malicious stuff from p2p as a virus, and people still thought putting malicious content on p2p was a shitty thing for someone to do (even if it was somewhat expected).

Nobody was shedding any tears 20 years ago for the virus makers who had their viruses flagged by virus scanners.

kay_o 13 hours ago||||

Given they are retroactively tampering with past archives it's not exactly trustworhy in the first place

JasonADrury 12 hours ago|||

Are they tampering with the actual content, or the stuff (login ui, etc) which they have always been open about tampering with?

colejohnson66 1 hour ago||

Content. https://arstechnica.com/tech-policy/2026/02/wikipedia-bans-a...

vachina 12 hours ago|||

Proof?

Hamuko 11 hours ago||

https://arstechnica.com/tech-policy/2026/02/wikipedia-bans-a...

flexagoon 4 hours ago||

That doesn't say anything about them tapering with archive content

frenchtoast8 3 hours ago||

Yes it does. The last section of the article.

https://megalodon.jp/2026-0219-1634-10/https://archive.ph:44...

This is an archive of an Archive.is archive of a blog post. The first sentence of the post says “ Jani Patokallio was a woman of exceptional intellect…” This was changed, it originally had someone else’s name (see second paragraph). So, who knows what other archived pages were changed?

Nuzzerino 13 hours ago|||

I always thought that mainstream media sites with paywalls were pretty far down there in the tier list of websites though. Not sure if this analogy lands unless irony was the goal.

jojomodding 3 hours ago||

I trust websites not to involve me in crime. I trust news websites to tell me the news. I trust archive websites to give me old versions of websites. I trust paywall circumvention websites to circumvent paywalls.

What I do not see is the irony you insinuate in your post. It is not immoral to charge people for content, nor does that make you less credible. (It might even make you more credible since you now earn money by having happy customers instead of serving more ads.)

Some news sources are not trustworthy but that's independent of there being a paywall.

acejam 3 hours ago||

It amazes me that people still use and recommend Cloudflare's DNS servers for resolution. Cloudflare DNS does not support EDNS Client Subnet. As a result, DNS queries resolved by their service are likely to return IP addresses for many CDNs that are physically farther away from you, leading to a slower internet browsing and viewing experience.

Sacrificing performance for a faster lookup time makes no sense in 2026. This is the one area where I continue to use Google DNS as it just works. Use anything but Cloudflare in this case, please.

Parent pro-tip: Next time the iPad is having Bluey episode playback issues, check to see if you're actually using Cloudflare DNS.

tredre3 1 hour ago||

Without ECS, the CDN will default to the closest one to the resolver, and cloudflare has resolvers in all major cities.

Given that the vast majority of us live in or near a major city, it means that your vaguely gloom and doom commentary doesn't apply.

If you live in the boondocks or if CDN matching misbehaves for some reason, by all means run benchmarks!

But all other things being equal, Cloudflare's privacy policy is better than Google's.

ck2 4 hours ago||

quad9 dnscrypt for the win

https://quad9.net/service/service-addresses-and-features/

       Secured w/ECS: Malware blocking, DNSSEC Validation, ECS enabled

       IPv4
       9.9.9.11
       149.112.112.11
       IPv6
       2620:fe::11
       2620:fe::fe:11
       HTTPS
       https://dns11.quad9.net/dns-query
       TLS
       tls://dns11.quad9.net

anonym29 2 hours ago||

I, for one, completely trust Cloudflare on this one. The guys running a MiTM attack on a substantial chunk of all global internet traffic, and working tirelessly to ensure billions of people behind CGNAT in the global south can't access the free and open web are the premiere experts on malicious, predatory, harmful internet-scale network behavior, after all.

charcircuit 15 hours ago||

When the heat dies down, hopefully this flag gets removed.

dydgbxx 15 hours ago||

Why? It’s accurate and if the owner has chosen to do this for months now, why should we ever trust they won’t again? Nobody should ever use that site and every optional filter should block them.

winkelmann 14 hours ago|||

There's probably a worthwhile discussion to be had about what it takes for a site in this situation to be removed from blocklists. An apology? Surrender to authorities? Halting the malicious activity for a certain period of time?

Regardless, another user reports the attack is still ongoing[1], so this isn't a discussion that's going to happen about archive.today anytime soon.

[1] https://news.ycombinator.com/item?id=47474777

ryandrake 14 hours ago|||

I suppose “evidence that the site’s leadership has permanently changed” would convince me. Whoever decided to put in the code that causes visitors to DDOS someone should never be running a web site again.

tumdum_ 9 hours ago||

So, in your mind, there is no way for an individual owning archive.today to recover from this?

ryandrake 4 hours ago||

I mean, probably not. Maybe if they posted a public apology (an actual one, not a 'I'm sorry I was caught' one), listed the steps that they would take to ensure it doesn't happen again and how the fact that they weren't doing it could be publicly verified.

They've shown they're willing to deliberately weaponize their users to fight a personal dispute with someone, and didn't take corrective action when called out. Trustworthiness is something you lose and don't get back.

jojomodding 3 hours ago|||

If there was an apology it could be considered, depending on the apology (i.e. is it earnest?). But so far that does not seem to happen.

leonidasv 13 hours ago||||

Also, they were caught tampering saved webpages as well, so the website cannot be trusted to fulfill it's main purpose anymore: https://arstechnica.com/tech-policy/2026/02/wikipedia-bans-a...

charcircuit 14 hours ago||||

>Why?

Because once the problematic content is removed it should no longer be blocked.

>It's accurate

It is neither a C&C server for a botnet, nor any other server related to a botnet. I would not call it accurate.

>Nobody should ever use that site

It has a good reputation for archiving sites, has stead the test of time, and doesn't censor pages like archive.org does allowing you to actually see the history of news articles instead of them being deleted like archive.org does on occasion.

3eb7988a1663 14 hours ago|||

The site started doctoring archived versions as part of the petty feud. That is, what was supposed to be a historical record, suddenly had content manipulated so as to feed into this fight[0]. There is no redemption. You want to be an archive, you keep it sacrosanct. Put an obvious hosting-site banner overlay if you must, but manipulating the archive is a red-line that was crossed.

  ...On 20 February 2026, English Wikipedia banned links to archive.today, citing the DDoS attack and evidence that archived content was tampered with to insert Patokallio's name.[19] The decision was made despite concerns over maintaining content verifiability[19] while removing and replacing the second-largest archiving service used across the Wikimedia Foundation's projects.[20] The Wikimedia Foundation had stated its readiness to take action regardless of the community verdict.[19][20]

[0] https://en.wikipedia.org/wiki/Archive.today

boredhedgehog 13 hours ago|||

That line of argument is rather misleading, as some kind of content manipulation is inherent to the service an archive that violates paywalls has to provide. It needs to conceal the accounts it uses to access these websites, and their names and traces are often on the pages it's archiving.

Did AT go beyond that and manipulate any relevant part? That's rather difficult to say now. AT is obviously tampering with evidence, but so is Wikipedia; their admins have heavily redacted their archived Talk pages out of fear one of these pseudonyms might be an actual person, so even what exactly WP accuses AT of is not exactly clear.

charcircuit 12 hours ago||||

While I disagree with that action I still trust the site as a reliable source. Redemption is possible. Maybe not for Wikipedia, but I don't care about that site and consider it rotten.

JasonADrury 14 hours ago|||

[flagged]

tredre3 14 hours ago||

If archive.today was known to be run by God himself, I would still describe what he is doing as a DDoS and breaching the trust of its users by abusing their browser and bandwidth to conduct his battles.

JasonADrury 13 hours ago||

I think you replied to the wrong comment? That doesn't address what I wrote in any way whatsoever.

Unless you're arguing that the response by archive.today retroactively justifies the behaviour of Jani Patokallio, which would be a bizarre take.

InsideOutSanta 14 hours ago||||

It's not just problematic content, it's criminal behavior. And the site has a bad reputation for archival, given that the owner altered the content of archived articles.

JasonADrury 12 hours ago|||

>It's not just problematic content, it's criminal behavior.

How is that supposed to be a big deal when the one of core services archive.today provides is obviously illegal anyway?

InsideOutSanta 10 hours ago||

I'm not sure how illegal copyright violations really are, given that all major tech companies are doing it. DDoS attacks, on the other hand, are pretty clear-cut.

I also think "but they also do that other crime" doesn't help their case.

JasonADrury 8 hours ago||

I think the DDoS is clearly problematic, I just don't think it's problematic because it's criminal.

It's problematic because it's childish and pointlessly degrades the user experience.

charcircuit 12 hours ago|||

The site commits copyright infringement by showing you content it doesn't have the rights for. This is not the kind of site to go on about morals for.

>the site has a bad reputation

Not compared to archive.org. archive.is has a much better track record.

InsideOutSanta 10 hours ago||

I'm not sure whether you're making a joke or confusing the two websites.

walletdrainer 9 hours ago||

You’re just not at all familiar with the subject.

Archive.org is awful. It allows site owners and random third parties to edit old archived pages.

Archive.today does not.

Hamuko 8 hours ago|||

Is it that much better that Archive.today reserves the right to edit old archived pages for the owner whenever they have a petty grudge with someone?

At least site owners have the copyright on the pages that Archive.org saves. They can just get the content pulled through DMCA anyway.

ddydjjffntn 3 hours ago|||

Folks keep saying this

Do you actually mean edit or do you just mean delete

Both are problematic, but falsifying a historic record is orders of magnitude worse than deleting one, and conflating them would be extremely dishonest

gbear605 14 hours ago|||

It is in fact a botnet - they’ve been hijacking user browsers to act as a botnet to DDoS.

charcircuit 13 hours ago||

Are Hacker News users part of a botnet since they link to sites that when people click they go down due to all of the traffic? Am I part of a botnet if I have HN open as it means HN can execute javascript? I think it's stretching the definition.

gbear605 1 hour ago||

Hacker News absolutely would be if it was making those requests to random sites that the user doesn’t know about, and have no reason to be making requests to other than attacking them.

I suppose if all the users go on the site intentionally wanting to take part in a DDoS, then sure it’s not a botnet. But that’s not reality.

JasonADrury 15 hours ago||||

[flagged]

quotemstr 14 hours ago|||

Because it's not the place of a DNS resolver to police the internet.

qzzi 14 hours ago|||

1.1.1.1 is simply a free DNS, 1.1.1.2 blocks malware, and 1.1.1.3 blocks both malware and adult content. It's a service that does exactly what it's supposed to do.

ryandrake 14 hours ago||||

If I specifically choose a DNS server that promises to not resolve sites that will use my computer in a botnet, then it is that DNS resolver’s place to do that.

dqh 14 hours ago||||

This particular revolver is an opt-in service for users that want Cloudflare to block anything that Cloudflare designates as malware.

bawolff 12 hours ago|||

Literally what the product is here.

bawolff 12 hours ago||

Unlikely unless their behaviour changes.

They arent being flagged because of the attention.

ddactic 12 hours ago|

[dead]

More comments...