DNS over HTTPS

souravmaiti · April 22, 2020, 6:10am

Mikrotik 6.47 has been introduced long awaited DoH.
But when I put any DoH server (for example https://cloudflare-dns.com/dns-query ) it gives error
DoH Connection Error, Idle Timeout.

Any clue ?

normis · April 22, 2020, 6:25am

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=“”
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=“”

souravmaiti · April 22, 2020, 8:21am

Any guide for Google DoH settings ?

msatter · April 22, 2020, 8:24am

For Google you still a first resolve through a normal DNS or it will not know how to reach the DOH of Google. Cloudflare used a trick to by putting 1.1.1.1 as alternative name in their certificate.

eworm · April 22, 2020, 8:26am

Do the same, but with different url: https://8.8.8.8/dns-query

eworm · April 22, 2020, 8:32am

Uh, google does a redirect there… So use this:

/ip dns static add address=8.8.8.8 name=dns.google
/ip dns static add address=8.8.4.4 name=dns.google
/ip dns set use-doh-server=https://dns.google/dns-query verify-doh-cert=yes

normis · April 22, 2020, 8:45am

He either should turn off the certificate check, or find google certificates.
Also it’s not correct to use DNS name in the DNS server address

eworm · April 22, 2020, 8:57am

The file you linked includes the certificates required for google services, no?
So my commands were intended on top of yours.

I think it’s not possible to use google DoH without DNS name in url. Or do you have a working one with ip address?

Jotne · April 22, 2020, 9:20am

I just added this to Use Doh Server

https://1.1.1.1/dns-query

I think its better to use IP only, so you do not need extra DNS server, to just resolve the DoH server

eworm · April 22, 2020, 10:21am

Yes, that’s true in general and for Cloudflare. But google does not allow to use https://8.8.8.8/dns-query directly. It sends a redirect in HTTP header to https://dns.google/dns-query.

Well, checking again… It does send a redirect, but the dns response is contained as well…

% curl -I 'https://8.8.8.8/dns-query?dns=AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE'
HTTP/2 301 
location: https://dns.google/dns-query?dns=AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE
content-type: text/html; charset=UTF-8
x-content-type-options: nosniff
date: Wed, 22 Apr 2020 08:29:24 GMT
expires: Thu, 23 Apr 2020 08:29:24 GMT
server: sffe
content-length: 269
x-xss-protection: 0
cache-control: public, max-age=86400
age: 6656
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,h3-T050=":443"; ma=2592000

msatter · April 22, 2020, 10:57am

Uh, google does a redirect there… So use this:

/ip dns static add address=8.8.8.8 name=dns.google
/ip dns static add address=8.8.4.4 name=dns.google
/ip dns set use-doh-server=https://dns.google/dns-query verify-doh-cert=yes

Maybe this can be combined to a bootstrap IP. Also adding the direct IP in the DOH setting used only (once) to bootstrap the DoH. No need for static then.

Leaves the problem with the certificate not being retrieved on it own.

sohel07 · May 23, 2020, 4:09pm

But I unable to access the internet until I set a DNS.

anav · May 23, 2020, 4:22pm

Okay after some reading my questions boil down to
Q. Advantage of MT router implementation over simply using firefox?

it covers any browser being used?

Why not make Doh, part of the default setup for routers coming from the factory??

Right now for dynamic servers I have listed in order 1.1.1.1, 1.0.0.1, 9.9.9.9
Do I have to remove th third entry 9.9.9.9 (will it eff up the plan)?

There is no such entry as /IP system NTP client.
(System is a separate entry and what it has is an SNTP client which I use to provide time.).

Okay so maybe I am missing a NTP package? Do I need it or can I use the sntp module??

Okay So I loaded the NTP package. Do I keep the current sntp setup (designed for time only) assuming this NTP setup is for DoH??

vortex · May 23, 2020, 5:09pm

How could it be the default if you don’t know which service you can trust?

dave864 · May 24, 2020, 2:11pm

This is great news.
Does anyone know the url to fetch the google cert?

foolbaby · May 26, 2020, 11:04am

thanks, its work but sometimes it gives error :
15:28:41 dns,error DoH server connection error: remote disconnected while in HTTP exchange
15:29:37 dns,error DoH server connection error: SSL: std failure: timeout (13)
15:29:42 dns,error DoH server connection error: SSL: handshake timed out (6)
15:29:42 dns,error DoH server connection error: SSL: internal error (6)
15:29:42 dns,error DoH server connection error: Idle timeout - connecting
17:52:53 dns,error DoH server connection error: Idle timeout - waiting data

i hope DoH gets better in the next release

normis · May 26, 2020, 11:47am

can you ping the DoH server?

foolbaby · May 26, 2020, 11:50am

yes it can ping.
but its happen sometimes . its just new setup. still on monitoring.

TheDoctor · May 26, 2020, 4:28pm

/ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes

expected end of command (line 1 column 12)

is there any solution, please, for 6.46.6 ?

eworm · May 26, 2020, 5:06pm

This is not supposed in 6.46.6. You have to use 6.47 for that feature.