I have recently been experiencing an odd and intermittent issue that I believe I've traced to the "Verify DOH Certificate" and CRL options in /ip/dns. I use my RB5009 as the local DNS server. It is configured to use NextDNS over HTTPS.
In Chrome I will sporadically get the error of DNS_PROBE_FINISHED_BAD_CONFIG. On the Windows command line I'll get a "server rejected query". This only happens for some domains, and I haven't been able to determine if there's a pattern. One domain it consistently happens with is united.com.
I use the built-in certificate store, which includes the UserTrust ECC root that NextDNS uses. But if I uncheck the "verify DOH certificate" in WinBox, everything starts resolving normally again. Or if I disable the CRL checking, everything works again.
To clarify, when the certificate verification is enabled most domains and DNS lookups still work fine. It's just some random ones that don't. Running ROS 7.19.3.