Hello,
I just noticed that DNS over HTTPS is no longer working on version 7.23.1 (I'm not sure if it's related to this version).
There are no errors in the logs, but the DNS traffic is being sent in plain text instead of over DoH. I tested with Cloudflare, NextDNS, and Quad9, and the behavior is the same with all three.
not flux in terminal with this ocmmand "/log print where message~"doh"
https://one.one.one.one/help/
| Using DNS over HTTPS (DoH) are on "no" |
|
|
|
|
Has anyone else noticed this issue?
Thanks you
No issues here, can you provide your DNS settings?
/ip/dns export
/ip dns
set allow-remote-requests=yes doh-max-concurrent-queries=1000
doh-max-server-connections=10 doh-timeout=2h46m40s servers=
45.90.28.10,45.90.30.10,2a07:a8c0::,2a07:a8c1:: use-doh-server=
https://dns.nextdns.io/xxxxx verify-doh-cert=yes
/ip dns static
add address=192.168.250.254 comment=defconf name=router.lan type=A
add address=192.168.2.250 name=SRV-NAS type=A
Settings seem to be okay.
What is the exact behavior? Including log line(s)?
Not sure if anything changed in the recent versions of RouterOS, but in the past if DoH set incorrectly, DNS requests would fail, and they would not be sent over plain DNS.
This is where the issue lies as I can see:
https://dns.nextdns.io/xxxxx verify-doh-cert=yes
The line above tells the router to use DoH instead of the servers below:
servers=45.90.28.10,45.90.30.10,2a07:a8c0::,2a07:a8c1::
This is a chicken and egg problem, where in order to resolve a domain the router first has to resolve the name of the DoH server itself.
Try adding a static DNS type A, and type AAAA records for dns.nextdns.io and set verify-doh-cert=no to see if it works.
If you can confirm DoH works again, set verify-doh-cert=yes. If DoH resolution breaks at this point, then you also need to solve the certificate issue.
After testing from the MikroTik, I can confirm that there are HTTPS (port 443) requests going to the NextDNS servers, both the source and destination look correct. Everything seems to be working properly. I was convinced that if the 1.1.1.1/help test passed, it would confirm that the DoH configuration was definitely working.
Thanks you both you