I ditched ROS DoH completely and replaced it with Cloudflared binary + Pi-Hole now DoH works 100% of the time with zero errors. Zero problems whatsoever.
DoH on ROS was and still is broken.
can u tell me the step to do this?
Hi Darknate,
I am interested in how you added the pi-hole to the MT Router for this functionality.
Is it on its own subnet for example.
How do you point users to pi-hole.
How do you point pi-hole to the external servers you wish to use
What firewall rules are germane to the setup for the pihole and users
What DNS rules are germane to the setup for the pihole and users.
In other words, configuring the pi-hole may be the easy part.
I tried using pi-hole once, and the family got upset real fast when it worked in broken fashion or not at all and I couldnt afford to play at it anylonger.
So looking for the config snippets for all pi-hole related entries, and a schematic to show the concept of how it fits into the network
I give the Pi a static IP via IP>DHCP>Leases.
Inside IP>DHCP>Networks, simply insert said static IP into the DNS field for that particular DHCP server/network. Clients will automatically grab it.
You donât need to manually IPv6 Link-local. LAN devices will send and receive AAAA just fine over the IPv4 local subnet via Pi-Hole. As long as the Pi-Hole has proper IPv6 config straight from SLAAC/RADVD from the Tik and can reach external IPv6 servers.
The end.
The rest is in the official Pi-Hole config. As stated, I use cloudflared binary+Pi-Hole which I already linked above.
So if I put the pi-hole on its own VLAN
give it a fixed IP.
I then put that IP address for each of my vlan dhcp-server-network entries?
Do I need firewall rules to allow the pi-hole anything specific on teh input chain?
Do I need firewall rules to allow users from all other vlans to the pi-hole vlan in the forward chain?
If pi-hole isnt working then how will the user then get service (simply put in a second DNS entry there of 1.1.1.1 ) for example assuming order is important and works.
I havenât used VLANs, canât help you there.
Default firewall rules are enough for bridge config. The order makes no difference from my testing, not on MikroTik at least in regards to DNS IPs inside the DHCP server. The point is to ensure Pi-Hole is stable for 24/7 use.
Thanks IYARINDRA, I switched over to Googleâs DOH server and used your scripts.
Has someone figure out how to get proper CRL download while using DoH?
I am still having the âDoH sever connection error: SSL: handshake failed: unable to get certificate CRLâ
Are you aware of a way to do this that doesnât import over 100 certificates?
Sorry, rephrase, I donât think that in 7b1,7b2,7b3 that this has worked. With all of these certificates, verification wonât work.
This one is enough: https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
Edit: It doesnât work for me with v7 either (v6 works fine).
Right, wanted Normis to see this.
any tutorial for cleanbrowsing? I tried all the scripts and none of them worked for me. I have no way to enable DoH.
Thank you very much in advance. Best regards.
These steps are correct. But i had and issue where i had Use Peer DNS and Use Peer NTP set. Please check that those are unchecked. Otherwise router will use peer (provider in my case) DNS and NTP (this influence certificate check)
Iâm constantly getting my logs flooded with max concurrent queries. I have increased max-concurrent-queries and max-concurrent-tcp-sessions, but still get the errors. Any suggestions would be greatly appreciated.
log
10:47:56 dns,warning DoH max concurrent queries reached, ignoring query
dns settings
[admin@RB3011UiAS] > ip dns print
servers:
dynamic-servers:
use-doh-server: https://1.1.1.1/dns-query
verify-doh-cert: yes
allow-remote-requests: yes
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
max-concurrent-queries: 250
max-concurrent-tcp-sessions: 100
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 460KiB
Decrease maximum concurrent queries. It limits, so TCP can keep up.
Im still looking for a fix, forâŚâdoh server connection error network is unreachableâ issue.
Any news? Im on 6.47.8 stable.
I did a workaround that works great the last few days with 0 disconnections. I do not know if it is a coincidence, thats why i share my configuration, so u can all test it. The changes are that i changed the queries to 200, the sessions to 50 and i set the name to regexp in static dns entry.
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d max-concurrent-queries=200
max-concurrent-tcp-sessions=50 servers=1.1.1.1,1.0.0.1
use-doh-server=> https://cloudflare-dns.com/dns-query > verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 regexp=cloudflare-dns
add address=104.16.249.249 regexp=cloudflare-dns
Check here after⌠https://1.1.1.1/help
Hey there,
Iâve tried to figure out what shall I do to make mikrotik work with DoH OpenDNS service.
They say we shall use next two IP addresses as DoH servers - 208.67.222.222 and 208.67.220.220
But, if we check their certificate with
echo | openssl s_client -showcerts -servername doh.familyshield.opendns.com -connect doh.opendns.com:443 2>/dev/null | openssl x509 -inform pem -noout -text
weâll see the next alternative names:
X509v3 Subject Alternative Name:
DNS:doh.opendns.com, IP Address:146.112.41.2, IP Address:2620:119:FC:0:0:0:0:2, DNS:doh.familyshield.opendns.com, IP Address:146.112.41.3, IP Address:2620:119:FC:0:0:0:0:3, DNS:doh.sandbox.opendns.com, IP Address:146.112.41.4, IP Address:2620:119:FC:0:0:0:0:4, DNS:doh.umbrella.com, IP Address:146.112.41.5, IP Address:2620:119:FC:0:0:0:0:5
So, I supposed that the problem with âDoH server connection error: SSL internel errorâ come from the fact that they havenât added their addresses (208.67.222.222 and 208.67.220.220) to the certificate. And when I configured my mikrotik to use the next url - https://146.112.41.2/dns-query
everything started to work.
Am I right or I am right ? 
Certificate Import not supporting âŚ
cannot find host name âŚ
its error all over 