Container to resolve native DOH issues

Hi all. I was wondering if I could ask for some advice and I think a container is the way to go for how to resolve my issue. I’ve recently migrated to Mikrotik from pfsense. I have been using DNS over TLS/HTTPS for years (since the moment I could). I’m pretty disappointed to see that the Mikrotik implementation of DOH is pretty terrible (my household has all reported various connection issues to sites since the Mikrotik went in, I myself just had a miss going to newegg which resolved itself after a simple page reload). If I’m going to keep this thing I’m thinking that the way to work around it is to use a container for my dns (something like unbound perhaps). Does anyone have any suggestions for specific containers or anything like that?

Thanks!

They made some fixes to DNS in 7.7, so maybe that might help.

There is https://hub.docker.com/r/klutchell/unbound container and it’s pretty lightweight. You’d have to follow all the instruction to enable containers, and then use the container’s IP address as the DNS address. You won’t need any mount/env for this container if all you want is a local resolver… But to enable DOH upstream, or any “custom” configuration, you should use a mount for “/etc/unbound” to some local path on the mikrotik so the configuration persist if you remove/update the container image. All possible, but not for the faint of heart, since it’s quite a few steps I’m summarizing here.

Ya I’m on 7.7 already and DOH client is still very unstable. Maybe it’s specific to nextdns but whatever it is it is an issue. I just followed the instructions to enable containers, now on to step 2.

Even pihole container also may work here too, which I believe uses a fork dnsmasq.

But since you asked about unbound, that works too – very lightweight, but no GUI. Pretty much same steps, just different thing DockerHub to “pull”.

Have you tried any containers until now?

You can try this one:
https://hub.docker.com/r/satishweb/doh-server

I do not know the project and it should be inspected before usage but it seems legit on the surface
You can see the variables that can be used for the container in this docker-compose.yml example or in the docker hub page:
https://github.com/0x49b/dockerfiles/blob/bad31b1dafffdf95cfc7a83c7f012ae80245b501/doh-server/docker-compose.yml

The sources of the project are at:
https://github.com/satishweb/docker-doh

Let me know if it’s any good for you.
Also, you can use the MT as your next hop DNS.

… That is if I got you right.
Or you can try to peek at:
https://wiki.archlinux.org/title/DNS_over_HTTPS_servers

and see what software might meet your needs.

Another approach is to use Cloudflare’s Zero Trust container. @normis did a YouTube on this one:
https://www.youtube.com/watch?v=BbDnBxlBTdY
But a feature of their platform is forwarding DNS via Zero Trust tunnel to cloudflare:
https://developers.cloudflare.com/cloudflare-one/policies/filtering/initial-setup/dns/
… now this adds different set of complexity on top of containers.

Re https://hub.docker.com/r/satishweb/doh-server … that one I believe creates a local DoH server, but uses standard DNS upstream to resolve. Since OP originally used RouterOS DNS’s DoT, I presume he wanted the reverse: the local Mikrotik resolve standard DNS queries, but forwards upstream via DoH for privacy. Could be wrong here…

I’ll offer that I can’t say I recommend using unbound…that seems like a lot of configuration work since you have to edit config files by hand (or build new image locally with the config file)…