Hi,
I moved on using Pi DNS DoH servers, and I see a strange behaviour on ROS side, steps to replicate this:
- import DST Root CA X3 so RouterOS can check for LetsEncrypt certificates.
- Set https://doh.centraleu.pi-dns.com/dns-query as DoH server and check ‘Verify DoH Certificate’ → everything works fine
- Set the DoH server using the IP directly, in this case https://88.198.91.187/dns-query → everything works fine.
My question is why does the URL using IP is passed by DoH certificate verification of Router OS? If I test using any modern browser accesing https://88.198.91.187/dns-query I get an invalid certificate warning. Is this a bug?
Edit: I think the cert has a subject alternative name containing the IP, so I’m wrong this time 