>If you set cloudflare as your dns provider, they own the dns response they give you. If they get court ordered to redirect you to a site saying this is illegal. Is your preference for this to be over plaintext?
Very important distinction here, the people being 'impacted' by this court order are end-users who decide to use Cloudflare's recursive DNS resolver (1.1.1.1 / 1.0.0.1 etc).
There's also the topic of what authoritative nameserver a domain uses. And also if a domain uses Cloudflare's WAF/CDN services to front their website.
A website can use Cloudflare's WAF/CDN without using their authoritative nameserver, and vice versa.
In this case, every domain that's been ordered to be blocked was already using Cloudflare's WAF/CDN service. So Cloudflare did the block at that level, rather than changing how Cloudflare's recursive DNS resolver responds to DNS queries.
No additional TLS certificates were issued - they already had valid certs because they're fronting the domain.
A website can use Cloudflare's WAF/CDN without using their authoritative nameserver, and vice versa.
Is this true for the free accounts? My understanding was that only enterprise and possibly pro accounts permitted this. I thought that people using free accounts had to point their entire zone entirely to CF to be managed only by CF. I could be wrong.
I believe you're thinking of the domain registration side. If you want to use Cloudflare as your domain registrar, you must use their authoritative nameservers - unless you're on the enterprise plans.
I don't use them for either, they've got too much market share for my comfort.
No I am not referring to domain registration. I am fairly certain that if I want to use their free accounts I would have to point the root servers at them to manage my zones even though they are registered through a dozen other registrars. In other words I can not manage my own DNS if I use their free accounts. It's not a big deal since I also do not use them. I make my own tiny CDN's when I need one. It's all hobby sites for me these days, retired from tech and no longer manage big zones.
So in other words, instead of being able to have the root servers provide the IP addresses of my bare metal servers running NSD NS records I would have to tell the root servers via the registrars I use to give the NS names/IP's of cloudflares DNS servers. The domains are still on the dozen registrars I use but CF have to be authoritative for them for the free accounts or at least that is they way it was when I first played with CF after they stopped being honeypots that I contributed to. I would say custom DNS but nowadays that means 50 different things to 50 different DNS admins on HN. It's just apex NS records in the root anycast clusters.
You're right, I was mistaken. Using a CNAME or A record as the only method to direct traffic at a label towards Cloudflare's reverse proxy is not available on the Free or Pro tier.
Very important distinction here, the people being 'impacted' by this court order are end-users who decide to use Cloudflare's recursive DNS resolver (1.1.1.1 / 1.0.0.1 etc).
There's also the topic of what authoritative nameserver a domain uses. And also if a domain uses Cloudflare's WAF/CDN services to front their website.
A website can use Cloudflare's WAF/CDN without using their authoritative nameserver, and vice versa.
In this case, every domain that's been ordered to be blocked was already using Cloudflare's WAF/CDN service. So Cloudflare did the block at that level, rather than changing how Cloudflare's recursive DNS resolver responds to DNS queries.
No additional TLS certificates were issued - they already had valid certs because they're fronting the domain.