# our-work
- s
straight-continent-34777
08/24/2019, 5:09 AMCloudflare is the poor mans cdn. It’s good to start off with. But then you will grow and hit a scale where you realize that it fails miserably. - s
straight-continent-34777
08/24/2019, 5:10 AMWe learnt it the hard way at Zoomcar. Moved from cloudflare to Akamai and have never been happier. - s
straight-continent-34777
08/24/2019, 5:11 AMIt costs us roughly 5-10X of what cf would have billed us but we’re way more than happy on the performance. - t
tall-postman-9284
08/24/2019, 5:37 AMAkamai is THE cdn. It's a little unfair comparing the world's largest enterprise cdn with anyone else, even cloudflare. - s
straight-continent-34777
08/24/2019, 6:07 AMIts never a comparison. What I'm talking about is the natural path of progression... There are people I've seen, and in our case, our own people who felt Cloudflare is a better option because of the "cost savings". When we moved to akamai because of a push from me and our cto, we showed what akamai could do... - s
straight-continent-34777
08/24/2019, 6:08 AMsweet 200x traffic surge, no worries... the bloody AWS load balancers crashed under that load! - s
straight-continent-34777
08/24/2019, 6:08 AMAkamai held fort! - s
straight-continent-34777
08/24/2019, 6:09 AMAnd that apart, at a personal level, since I am part of the DNS dinosaur folk on the planet, I hate Cloudflare for implementing a "custom variation" of the DOH protocol and marketing it as the next best thing on the internet. Its a fucking abomination! - t
tall-postman-9284
08/24/2019, 6:10 AMWait cf doh is a custom variation? - t
tall-postman-9284
08/24/2019, 6:11 AMI thought there's only one variant everywhere. - s
straight-continent-34777
08/24/2019, 6:11 AMDoH isnt an RFC yet. Its a draft and CF has pushed for an implementation thats not entirely "accurate"? so to speak - s
straight-continent-34777
08/24/2019, 6:12 AMCFs DoH is incompatible with Google's DoH - t
tall-postman-9284
08/24/2019, 6:12 AMOkay. I'm not tracking dns world closely. I thought dns over https is a standard now. Any major issues with their implementations security? - s
straight-continent-34777
08/24/2019, 6:12 AMand is incompatible with a few other DoH implementations around town - s
straight-continent-34777
08/24/2019, 6:12 AMThere are major security issues... - t
tall-postman-9284
08/24/2019, 6:13 AMThe joys of standardizing on the internet. - s
straight-continent-34777
08/24/2019, 6:13 AMsince traffic flows on TLS 1.2, you've got no tracing. You cannot do Split horizon DNS, you cannot do jailing / filtering, blacklisting, etc - s
straight-continent-34777
08/24/2019, 6:13 AMAnd, there were a few security issues identified as recently as last month about malware flowing into networks via DoH - s
straight-continent-34777
08/24/2019, 6:14 AMthrough a bug in the CF implementation - t
tall-postman-9284
08/24/2019, 6:14 AMPoint me towards any writeups on this? - s
straight-continent-34777
08/24/2019, 6:14 AMwill do... Have them somewhere... - s
straight-continent-34777
08/24/2019, 6:14 AMI tend to keep a flowing tab on DoH since I run a DNS server from home - I run a DNSCrypt resolver... - s
straight-continent-34777
08/24/2019, 6:15 AMWhile DNSCrypt is again an IETF draft and not an RFC yet, its spec is pretty standard - PKI cryptography over plain DNS delivered on port 443 by default 🙂 - s
straight-continent-34777
08/24/2019, 6:15 AMIts like opening an SSH connection 😄 - s
straight-continent-34777
08/24/2019, 6:15 AMDOH is way more complicated than that... - t
tall-postman-9284
08/24/2019, 6:22 AMOkay. I wish dnscrypt is more widespread. Almost nobody supports it. - s
straight-continent-34777
08/24/2019, 6:23 AMI do.. - s
straight-continent-34777
08/24/2019, 6:23 AMqag.me is a dnscrypt resolver running from bangalore - t
tall-postman-9284
08/24/2019, 6:24 AMI mean yeah, you do, but mainstream support is lacking. No isps, very few public resolvers, etc - s
straight-continent-34777
08/24/2019, 6:25 AMISPs dont run dns resolvers anymore... they just run forwarders...