Different DOH server per DHCP server

JexSrs · June 25, 2023, 4:56pm

Hello everyone,

I have a setup with multiple VLANs and DHCP servers attached to them. I have already configured a DOH (DNS over HTTPS) server in the router.
I have followed the standard guide NextDNS provides and it works without a flaw:

/tool fetch url=https://curl.se/ca/cacert.pem
/certificate import file-name=cacert.pem
/ip dns set servers=""
/ip dns static add name=dns.nextdns.io address=ipv4_1 type=A
/ip dns static add name=dns.nextdns.io address=ipv4_2 type=A
/ip dns static add name=dns.nextdns.io address=ipv6_1 type=AAAA
/ip dns static add name=dns.nextdns.io address=ipv6_2 type=AAAA
/ip dns set use-doh-server=“https://dns.nextdns.io/xxxxxx” verify-doh-cert=yes

Now what I want to do is to setup a second DOH server that will only be used by a specific VLAN (or more than one).

I have tried to edit the DNS servers in the DHCP server menu, but when applying the url it complains that only IP address are allowed (which makes sense).
I have also searched the internet but did not found any mentions on the topic. Is this supported by RouterOS? If not can you recommend any alternatives? I thought using a custom local DNS server which will decide the server, but as I do not have much knowledge on this matter, I am not sure how to distinguish which request belongs to which VLAN.

Any kind if help is appreciated, thank you.

anav · June 25, 2023, 10:36pm

Well a tad confusing as I believe the MT device is capable of only handling one DOH server…

rextended · June 25, 2023, 10:49pm

Use one CHR for each wanted separate DoH.

JexSrs · June 26, 2023, 8:51am

As I am not very familiar, can you provide a simple example or some documentation for this?

From my understanding, you want me to run multiple instances of RouterOS in another machine that will be treated as DNS managers. Each one will have its own DOH server. Then I will go to my MikroTik and for each DHCP server I will assign the DNS addresses to the specific RouterOS instance?

Thank you.

rextended · June 26, 2023, 10:53am

Exactly

anav · June 26, 2023, 1:09pm

Rextended will also send you the latest DELL XPS computer with latest Intel and 32Mbs ram to help you with all those CHRs… what is advice without backing it up with $$$$

Okay, just asking what kind of resources are needed to run them??

rextended · June 26, 2023, 1:21pm

A motherboard that is not too old is enough, but obviously it depends on how many users it has to serve…

anav · June 26, 2023, 2:18pm

You crack me up…
Son asks his father, Dad What should I look for in a wife…
Oh one that is not too old…

foresthus · October 9, 2023, 3:25pm

Hi,

is there a possiblity to add someting like this for doh?

/ip firewall nat
add action=dst-nat chain=dstnat comment=“All DNS via doH (Port 853 TCP) - kids” dst-port=853 in-interface=bridge protocol=tcp src-address-list=IP_RANGE_kids to-addresses= 1.1.1.1 to-ports=853
add action=dst-nat chain=dstnat comment=“All DNS via doH (Port 853 udp) - kids” dst-port=853 in-interface=bridge protocol=udp src-address-list=IP_RANGE_kids to-addresses= 1.1.1.1 to-ports=853

I wolud like to ahve more than ons solution without VLAN for different IP-Ranges in my LAN. The IP 1.1.1.1 is just an example. my idea is doing this with https://nextdns.io or https://flashstart.com.

Anyone an idea?

fcollini · November 28, 2023, 3:47pm

Dear Foresthus,
it’s Francesco from FlashStart.
Since you mentioned our platform, the answer is “yes”. You can redirect your DoH and DoT connections to doh.flashstart.com or dot.flashstart.com (respectively port 443 and 853). Be aware there might be a browser certificate warning somewhere..

To intercept Doh and DoT connections and force people to enable safe surf filtering, I’d suggest to block at DNS level the DoH/DoT servers in order to automatically downgrade to the normal UDP/Dns. Into our platform you can find the right Doh category!