i didn't know OpenNIC before but it seems more than a public recursive resolver. before we merge, i would like to get a better understanding of the consequences.

Murdock results

✔️ PASSED

395bdb8 sys: net: dns: use Quad resolver

Artifacts

• Documentation preview

TREX would be even better as it's a DNS64 service, so you can reach sites like GitHub via NAT64.

I don't care that much whether we go with OpenNIC or any other resolver as a default as long as we move away from Google and the like. I didn't know about OpenNIC before, either - came across while reading through some recommendations from CCC. So, if anyone has a better proposal for a free and open public DNS resolver without censorship and that can be used via plain UDP (AFAIK RIOT's DNS resolver does not support encryption yet), I'm totally open for suggestions.

TREX would be even better as it's a DNS64 service, so you can reach sites like GitHub via NAT64.

Doesn't seem to work:

┌─[oleg@applecore] - [~] - [2025-01-02 07:24:58]
└─[0] <> dig +short AAAA github.com @2001:67c:2b0::6
2001:67c:2b0:db32:0:1:8c52:7903
┌─[oleg@applecore] - [~] - [2025-01-02 07:25:02]
└─[0] <> ping -c1 2001:67c:2b0:db32:0:1:8c52:7903
PING 2001:67c:2b0:db32:0:1:8c52:7903 (2001:67c:2b0:db32:0:1:8c52:7903) 56 data bytes
From 2001:7f8:1d:18::72f8:85 icmp_seq=1 Destination unreachable: Source address failed ingress/egress policy

TREX is making DNS64 resolvers available to Finnish end users as part of a research project in association with the Finnish Future Internet programme and Internet Testbed Finland.

Maybe Geo-IP based allowlist?

Even if it would work we probably should not just ignore that they apparently don't want to provide the service to the general public.

OpenNIC maintains its own TLDs in parallel to ICANN, which doesn't seem a good approach to me.

if we are looking for a neutral, privacy-responsible resolver, my suggestion is to go for Quad9, https://quad9.net/service/service-addresses-and-features/.

👍 If you trust them, I'm fine to trust them as well.

TREX would be even better as it's a DNS64 service, so you can reach sites like GitHub via NAT64.

Doesn't seem to work:

'tis a pity.

level66 (2001:67c:2960::64) still works

2025-01-06 14:16:27,870 # ping github.com
2025-01-06 14:16:27,908 # 12 bytes from 2001:67c:2960:6464::8c52:7903: icmp_seq=0 ttl=46 time=25.083 ms
2025-01-06 14:16:28,897 # 12 bytes from 2001:67c:2960:6464::8c52:7903: icmp_seq=1 ttl=46 time=13.664 ms
2025-01-06 14:16:29,897 # 12 bytes from 2001:67c:2960:6464::8c52:7903: icmp_seq=2 ttl=46 time=13.631 ms
2025-01-06 14:16:29,897 # 
2025-01-06 14:16:29,898 # --- github.com PING statistics ---
2025-01-06 14:16:29,898 # 3 packets transmitted, 3 packets received, 0% packet loss
2025-01-06 14:16:29,899 # round-trip min/avg/max = 13.631/17.459/25.083 ms