Update default dns servers

According to https://safing.io/blog/2020/07/07/we-are-updating-portmasters-default-dns-servers/

resolver/config.go

@@ -13,46 +13,43 @@ var (
 	defaultNameServers = []string{
 		// Collection of default DNS Servers
 
-		// Default servers should be:
+		// For a detailed explanation how we choose our default resolvers, check out
-		// Anycast:
+		// https://safing.io/blog/2020/07/07/how-safing-selects-its-default-dns-providers/
-		// - Servers should be reachable from anywhere with reasonable latency.
-		// - Servers should be near to the user for geo-content to work correctly.
-		// Private:
-		// - Servers should not do any or only minimal logging.
-		// - Available logging data may not be used against the user, ie. unethically.
 
-		// Sadly, only a few services come close to fulfilling these requirements.
+		// These resolvers define a working set. Which provider we selected as the
-		// For now, we have settled for two bigger and well known services: Quad9 and Cloudflare.
+		// primary depends on the current situation.
-		// TODO: monitor situation and re-evaluate when new services become available
-		// TODO: explore other methods of making queries more private
 
 		// We encourage everyone who has the technical abilities to set their own preferred servers.
+		// For a list of configuration options, see
+		// https://github.com/safing/portmaster/wiki/DNS-Server-Settings
 
-		// Default 1: Quad9
+		// Quad9 (encrypted DNS)
-		"dot://9.9.9.9:853?verify=dns.quad9.net&name=Quad9&blockedif=empty",         // Quad9
+		// `dot://9.9.9.9:853?verify=dns.quad9.net&name=Quad9&blockedif=empty`,
-		"dot://149.112.112.112:853?verify=dns.quad9.net&name=Quad9&blockedif=empty", // Quad9
+		// `dot://149.112.112.112:853?verify=dns.quad9.net&name=Quad9&blockedif=empty`,
 
-		// Default 2: Cloudflare
+		// Cloudflare (encrypted DNS, with malware protection)
-		"dot://1.1.1.2:853?verify=cloudflare-dns.com&name=Cloudflare&blockedif=zeroip", // Cloudflare
+		`dot://1.1.1.2:853?verify=cloudflare-dns.com&name=Cloudflare&blockedif=zeroip`,
-		"dot://1.0.0.2:853?verify=cloudflare-dns.com&name=Cloudflare&blockedif=zeroip", // Cloudflare
+		`dot://1.0.0.2:853?verify=cloudflare-dns.com&name=Cloudflare&blockedif=zeroip`,
 
-		// Fallback 1: Quad9
+		// AdGuard (encrypted DNS, default flavor)
-		"dns://9.9.9.9:53?name=Quad9&blockedif=empty",         // Quad9
+		`dot://176.103.130.130:853?verify=dns.adguard.com&name=AdGuard&blockedif=zeroip`,
-		"dns://149.112.112.112:53?name=Quad9&blockedif=empty", // Quad9
+		`dot://176.103.130.131:853?verify=dns.adguard.com&name=AdGuard&blockedif=zeroip`,
 
-		// Fallback 2: Cloudflare
+		// Foundation for Applied Privacy (encrypted DNS)
-		"dns://1.1.1.2:53?name=Cloudflare&blockedif=zeroip", // Cloudflare
+		// `dot://94.130.106.88:853?verify=dot1.applied-privacy.net&name=AppliedPrivacy`,
-		"dns://1.0.0.2:53?name=Cloudflare&blockedif=zeroip", // Cloudflare
+		// `dot://94.130.106.88:443?verify=dot1.applied-privacy.net&name=AppliedPrivacy`,
 
-		// supported parameters
+		// Quad9 (plain DNS)
-		// - `verify=domain`: verify domain (dot only)
+		// `dns://9.9.9.9:53?name=Quad9&blockedif=empty`,
-		// future parameters:
+		// `dns://149.112.112.112:53?name=Quad9&blockedif=empty`,
-		//
+
-		// - `name=name`: human readable name for resolver
+		// Cloudflare (plain DNS, with malware protection)
-		// - `blockedif=empty`: how to detect if the dns service blocked something
+		// `dns://1.1.1.2:53?name=Cloudflare&blockedif=zeroip`,
-		//	- `empty`: NXDomain result, but without any other record in any section
+		// `dns://1.0.0.2:53?name=Cloudflare&blockedif=zeroip`,
-		//  - `refused`: Request was refused
+
-		//	- `zeroip`: Answer only contains zeroip
+		// AdGuard (plain DNS, default flavor)
+		// `dns://176.103.130.130&name=AdGuard&blockedif=zeroip`,
+		// `dns://176.103.130.131&name=AdGuard&blockedif=zeroip`,
 	}
 
 	CfgOptionNameServersKey   = "dns/nameservers"

resolver/resolver.go

@@ -32,6 +32,13 @@ var (
 // Resolver holds information about an active resolver.
 type Resolver struct {
 	// Server config url (and ID)
+	// Supported parameters:
+	// - `verify=domain`: verify domain (dot only)
+	// - `name=name`: human readable name for resolver
+	// - `blockedif=empty`: how to detect if the dns service blocked something
+	//	- `empty`: NXDomain result, but without any other record in any section
+	//  - `refused`: Request was refused
+	//	- `zeroip`: Answer only contains zeroip
 	Server string
 
 	// Name is the name of the resolver as passed via