sys: net: dns: use Quad9 resolver

[OlegHahm]

Contribution description

Replaces Google's name servers with the OpenNIC Quad9 ones. This is better aligned with RIOT's spirit I belive.

Testing procedure

Build, for instance, gnrc_networking with auto_init_sock_dns and sock_dns enabled and try to ping riot-os.org.

[waehlisch]

i didn't know OpenNIC before but it seems more than a public recursive resolver. before we merge, i would like to get a better understanding of the consequences.

[riot-ci]

Murdock results

✔️ PASSED

395bdb8 sys: net: dns: use Quad resolver

Success	Failures	Total	Runtime
10249	0	10249	18m:17s

Artifacts

• Documentation preview

[benpicco]

TREX would be even better as it's a DNS64 service, so you can reach sites like GitHub via NAT64.

[OlegHahm]

I don't care that much whether we go with OpenNIC or any other resolver as a default as long as we move away from Google and the like. I didn't know about OpenNIC before, either - came across while reading through some recommendations from CCC. So, if anyone has a better proposal for a free and open public DNS resolver without censorship and that can be used via plain UDP (AFAIK RIOT's DNS resolver does not support encryption yet), I'm totally open for suggestions.

[OlegHahm]

TREX would be even better as it's a DNS64 service, so you can reach sites like GitHub via NAT64.

Doesn't seem to work:

┌─[oleg@applecore] - [~] - [2025-01-02 07:24:58]
└─[0] <> dig +short AAAA github.com @2001:67c:2b0::6
2001:67c:2b0:db32:0:1:8c52:7903
┌─[oleg@applecore] - [~] - [2025-01-02 07:25:02]
└─[0] <> ping -c1 2001:67c:2b0:db32:0:1:8c52:7903
PING 2001:67c:2b0:db32:0:1:8c52:7903 (2001:67c:2b0:db32:0:1:8c52:7903) 56 data bytes
From 2001:7f8:1d:18::72f8:85 icmp_seq=1 Destination unreachable: Source address failed ingress/egress policy

[maribu]

TREX is making DNS64 resolvers available to Finnish end users as part of a research project in association with the Finnish Future Internet programme and Internet Testbed Finland.

Maybe Geo-IP based allowlist?

Even if it would work we probably should not just ignore that they apparently don't want to provide the service to the general public.

[waehlisch]

OpenNIC maintains its own TLDs in parallel to ICANN, which doesn't seem a good approach to me.

if we are looking for a neutral, privacy-responsible resolver, my suggestion is to go for Quad9, https://quad9.net/service/service-addresses-and-features/.

[OlegHahm]

👍 If you trust them, I'm fine to trust them as well.

[benpicco]

TREX would be even better as it's a DNS64 service, so you can reach sites like GitHub via NAT64.

Doesn't seem to work:

'tis a pity.

level66 (2001:67c:2960::64) still works

2025-01-06 14:16:27,870 # ping github.com
2025-01-06 14:16:27,908 # 12 bytes from 2001:67c:2960:6464::8c52:7903: icmp_seq=0 ttl=46 time=25.083 ms
2025-01-06 14:16:28,897 # 12 bytes from 2001:67c:2960:6464::8c52:7903: icmp_seq=1 ttl=46 time=13.664 ms
2025-01-06 14:16:29,897 # 12 bytes from 2001:67c:2960:6464::8c52:7903: icmp_seq=2 ttl=46 time=13.631 ms
2025-01-06 14:16:29,897 # 
2025-01-06 14:16:29,898 # --- github.com PING statistics ---
2025-01-06 14:16:29,898 # 3 packets transmitted, 3 packets received, 0% packet loss
2025-01-06 14:16:29,899 # round-trip min/avg/max = 13.631/17.459/25.083 ms