Change default DNS servers

[jidckii]

DNS 9.9.9.9 applies filtering based on the VirusTotal database. My domain was included in this database by mistake and I spent several days debugging to understand what was wrong.

After updating the cluster and the release of the 9.9.9.9 resolver, my sites in the yucca.app domain began to sometimes return http 500, this is because nginx ingress cannot resolve the request on the incoming domain.

I suggest not using the default DNS which uses any filtering and can lead to service failure. The use of such resolvers should be a conscious choice. On its website, quad9 suggests using the address without filtering, so I replaced it in the default variable.

[mysticaltech]

Yep, makes sense!

[M4t7e]

Just my 5 cents:

I was often thinking about the default DNS settings and still I do. Technically all 3 are good and fast, but they have some hidden drawbacks...

• Cloudflare DNS:
  They openly say that they observe, log and monitor all DNS requests made using their standard DNS resolvers with some level of anonymization. https://www.cloudflare.com/privacypolicy/
• Google DNS:
  They also observe, log and monitor all DNS requests like Cloudflare. https://developers.google.com/speed/public-dns/faq#privacy
  Additionally they send a so called EDNS-Client-Subnet (ECS) along with the DNS query to the authoritative servers, which simply contains a part of your source IP address.
  Example:

  # dig txt ecs.test.smartguard.io @8.8.8.8 +short
  "128.140.118.0/24"
  # dig txt ecs.test.smartguard.io @2001:4860:4860::8888 +short
  "2a01:4f8:c17:cd00::/56"
  
  # dig txt ecs.test.smartguard.io @1.1.1.1 +short
  "no ECS"
  # dig txt ecs.test.smartguard.io @9.9.9.9 +short
  "no ECS"

• Quad9:
  The only privacy friendly DNS resolver service and not located in the US (nothing against the US in general, but their laws explicitly ignore EU law, as Edward taught us). But they don't serve all DNS answers uncensored anymore. There is a lawsuit ongoing from Sony Music Entertainment. They claim that Quad9 actively supports people to download music illegally (what a bulls**t). See here for more info: https://www.quad9.net/news/blog/quad9-and-sony-music-german-injunction-update-for-july-2023

TL;DR
I think the Hetzner DNS resolvers may be a better default from a privacy and consistency perspective. Especially because the mixture between Cloudflare, Google and Quad9 can lead to toggle effects in case of some issues like this here. First something works, then it does not work, testing manually and it suddenly works again, and so on...

[jidckii]

I agree with @M4t7e , maybe it makes sense to use resolvers from the hoster?

[mysticaltech]

Sounds good folks, @jidckii let's default to Hetzner DNS servers then, and cite the current one in the kube.tf.example line to be uncommented if needed.

[mysticaltech]

@jidckii Just two small comments before we move on.

[mysticaltech]

Now live on v2.7.1. thanks again for this @jidckii, and for the great suggestion @M4t7e 👏