What is always missing in these type of discussions, is that these public caching resolvers (like Cloudflare, google, …) are not the "intended" way to query a DNS record.
These resolvers get their DNS records through recursive DNS resolving, which is the "intended" way.
Basically when looking up "news.ycombinator.com" they first look up at the root servers (e.g. m.root-servers.net.), what the name server for "com." is (e.g. a.gtld-servers.net.), then through these name servers they look up what the name server for "ycombinator.com." is (e.g. ns-225.awsdns-28.com) and then they look up the subdomain "news.ycombinator.com." at the nameserver for "ycombinator.com.".
"Intended": it's not "unintended", but it's basically just a shortcut to the way you'd normally look up DNS records.
So the example with, it's the same as removing it from a phone book isn't even correct.
It would be more like, if you have a database that has a faster access to every phone book, and you'd remove the domain only from that faster access database. While you'd still be able to just look at the phone book, while it may not be as fast or as convenient.
> Cloudflare has no mechanism for blocking websites through 1.1.1.1., and we have never blocked a website through our public resolver
Given 1.1.1.2 & 1.1.1.3 exist this is pretty obviously a massive lie.
Indeed they drive coach and horses through the entire argument of the piece. Apparently unaccountable arbitrary blocking based on lists provided by organisations with a long history of bigotry and that actively discriminate against sex workers and queer people is fine as long as crooks and thieves are protected.
I don't like the anti-queer nature of the "family" filters either, but it's something that users are actively opting into. I would rather people deal with "family friendly" by configuring their family's DNS than by trying to change the public internet.
If I actively opted into genocide it still wouldn't be okay. The answer to issues like these is not and should not be "people pick it and that makes it okay".
These resolvers get their DNS records through recursive DNS resolving, which is the "intended" way. Basically when looking up "news.ycombinator.com" they first look up at the root servers (e.g. m.root-servers.net.), what the name server for "com." is (e.g. a.gtld-servers.net.), then through these name servers they look up what the name server for "ycombinator.com." is (e.g. ns-225.awsdns-28.com) and then they look up the subdomain "news.ycombinator.com." at the nameserver for "ycombinator.com.".
"Intended": it's not "unintended", but it's basically just a shortcut to the way you'd normally look up DNS records.
So the example with, it's the same as removing it from a phone book isn't even correct. It would be more like, if you have a database that has a faster access to every phone book, and you'd remove the domain only from that faster access database. While you'd still be able to just look at the phone book, while it may not be as fast or as convenient.