"archive.today is currently categorized as: * CIPA Filter * Reference * Command and Control & Botnet * DNS Tunneling"

Ditto for their other domains like archive.is and archive.ph

Example DoH request:

$ curl -s "https://1.1.1.2/dns-query?name=archive.is&type=A" -H "accept: application/dns-json"

{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"archive.is","type":1}],"Answer":[{"name":"archive.is","type":1,"TTL":60,"data":"0.0.0.0"}],"Comment":["EDE(16): Censored"]}

---

Relevant HN discussions:

https://news.ycombinator.com/item?id=46843805 "Archive.today is directing a DDoS attack against my blog"

https://news.ycombinator.com/item?id=47092006 "Wikipedia deprecates Archive.today, starts removing archive links"

https://news.ycombinator.com/item?id=46624740 "Ask HN: Weird archive.today behavior?" - Post about the script used to execute the denial-of-service attack

Wikipedia page on deprecating and replacing archive.today links:

https://en.wikipedia.org/wiki/Wikipedia:Archive.today_guidan...

I think there are two angles to look at this. Yes, there’s the attack on the weblog. But there’s also pressure on archive.today, e.g. an FBI investigation [1] and some entity using fictitious CSAM allegations [2].

[1]: https://arstechnica.com/tech-policy/2025/11/fbi-subpoena-tri...

[2]: https://adguard-dns.io/en/blog/archive-today-adguard-dns-blo...

A bit context if you are confused why Public DNS server blocking websites. 1.1.1.2 is Malware blocking DNS server similar to AdBlock DNS server. It is not 1.1.1.1 and 1.0.0.1

Here is the DDoS context https://gyrovague.com

Some time ago, probably at least a year, likely more, I read a blog post by someone working for Google in Europe who loved using Archive.today and out of curiosity tried to determine who was running it. In the end he gave up, offered to buy the operator a beer or something like that, but if I recall correctly he went to even greater lengths in his research than the blogger discussed in this thread

I wish I could find it

Archive.today's attack on https://gyrovague.com is still on-going btw. It started just over two months ago. Some IPs get through normally but for example finnish residential IPs get stuck on endless captchas. The JS snippet that starts spamming gyrovague appears after solving the first captcha.

What a crazy timeline this has been.

(1) May 04 2019: "Tell HN: Archive.is inaccessible via Cloudflare DNS (1.1.1.1)" [https://news.ycombinator.com/item?id=19828317]

    eastdakota on May 4, 2019 on: Tell HN: Archive.is inaccessible via Cloudflare DNS...

    [Via https://news.ycombinator.com/item?id=19828702]
    
    We don’t block archive.is or any other domain via 1.1.1.1. Doing so, we believe, would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service.
   
    Archive.is’s authoritative DNS servers return bad results to 1.1.1.1 when we query them. I’ve proposed we just fix it on our end but our team, quite rightly, said that too would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service.
   
    The archive.is owner has explained that he returns bad results to us because we don’t pass along the EDNS subnet information. This information leaks information about a requester’s IP and, in turn, sacrifices the privacy of users. This is especially problematic as we work to encrypt more DNS traffic since the request from Resolver to Authoritative DNS is typically unencrypted. We’re aware of real world examples where nationstate actors have monitored EDNS subnet information to track individuals, which was part of the motivation for the privacy and security policies of 1.1.1.1.
    
    EDNS IP subsets can be used to better geolocate responses for services that use DNS-based load balancing. However, 1.1.1.1 is delivered across Cloudflare’s entire network that today spans 180 cities. We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results. For a relatively small operator like archive.is, there would be no loss in geo load balancing fidelity relying on the location of the Cloudflare PoP in lieu of EDNS IP subnets.
    
    We are working with the small number of networks with a higher network/ISP density than Cloudflare (e.g., Netflix, Facebook, Google/YouTube) to come up with an EDNS IP Subnet alternative that gets them the information they need for geolocation targeting without risking user privacy and security. Those conversations have been productive and are ongoing. If archive.is has suggestions along these lines, we’d be happy to consider them.

(2) Sep 11 2021: "Does Cloudflare's 1.1.1.1 DNS Block Archive.is? (2019) (jarv.is)" [https://news.ycombinator.com/item?id=28495204]

I reported the miscalssification, you can do it as well from the linked page.

Edit: reading some comments here seems that I was too fast, and that the story is much more complicated. Having just the Cloudflare page as a context, I assumed the news were a miscalssification. Could someone share more context on what is going on here?

Otoh, without archive.today a substantial % of HN posts would be unreadable for nearly all of the audience.

The DNS tuneling flag alongside C&C/botnet is the odd one — that category implies data exfiltration or firewall bypass, not just aggressive crawling or DDoS behavior. Would be interesting to know what traffic pattern triggered it.

While I fully support this instance, I wonder what else Cloudflare has set to "Censored", apart for the obvious CSAM

Cloudflare dns has gone back and forth on whether it wants to resolve them since 2019. It’s taken that away and restored it again (intentionally? mistake?) at least four times.

The c&c/botnet designation would seem to be new though.

Good. What archive.today is doing is illegal

Good. You don't get to use my computer for a DDoS. I don't care why the DDoS was happening. I wasn't asked, and that's a serious breach of trust.

Cloudflare considered harmful

It amazes me that people still use and recommend Cloudflare's DNS servers for resolution. Cloudflare DNS does not support EDNS Client Subnet. As a result, DNS queries resolved by their service are likely to return IP addresses for many CDNs that are physically farther away from you, leading to a slower internet browsing and viewing experience.

Sacrificing performance for a faster lookup time makes no sense in 2026. This is the one area where I continue to use Google DNS as it just works. Use anything but Cloudflare in this case, please.

Parent pro-tip: Next time the iPad is having Bluey episode playback issues, check to see if you're actually using Cloudflare DNS.

quad9 dnscrypt for the win

https://quad9.net/service/service-addresses-and-features/

       Secured w/ECS: Malware blocking, DNSSEC Validation, ECS enabled

       IPv4
       9.9.9.11
       149.112.112.11
       IPv6
       2620:fe::11
       2620:fe::fe:11
       HTTPS
       https://dns11.quad9.net/dns-query
       TLS
       tls://dns11.quad9.net

When the heat dies down, hopefully this flag gets removed.

I, for one, completely trust Cloudflare on this one. The guys running a MiTM attack on a substantial chunk of all global internet traffic, and working tirelessly to ensure billions of people behind CGNAT in the global south can't access the free and open web are the premiere experts on malicious, predatory, harmful internet-scale network behavior, after all.

[dead]

[dead]

[dead]

[dead]

Of course, they want to shut down the only good archive site. See, if you can save things it prevents editing and can bypass paywalls.

Cant have that.

Now, show me your ID to login to your Linux box.

Bulletproof hosting service not happy that someone is running their C&C infrastructure elsewhere