DoH DNS queries with multi WAN redundancy

RouterOS General
1

I have DoH DNS working without any issues. I have multiple WAN. For client internet connection, the failover works. So if one WAN gateway is down, the other one is being used. However, this doesn’t work for DoH queries. So the mikrotik router itself, doesn’t use the failover WAN.

This is what I have.

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WIREGUARD pref-src="" routing-table="LONDON ROUTING" scope=30 \
    suppress-hw-offload=no target-scope=11
add check-gateway=ping distance=1 gateway=8.8.8.8 routing-table="WAN1 ROUTING" target-scope=11
add check-gateway=ping distance=2 gateway=8.8.4.4 routing-table="WAN1 ROUTING" target-scope=11
add check-gateway=ping distance=3 gateway=208.67.222.222 routing-table="WAN1 ROUTING" target-scope=11
add check-gateway=ping distance=4 gateway=208.67.220.220 routing-table="WAN1 ROUTING" target-scope=11
add check-gateway=ping distance=1 gateway=8.8.4.4 routing-table="WAN2 ROUTING" target-scope=11
add check-gateway=ping distance=2 gateway=8.8.8.8 routing-table="WAN2 ROUTING" target-scope=11
add check-gateway=ping distance=3 gateway=208.67.220.220 routing-table="WAN2 ROUTING" target-scope=11
add check-gateway=ping distance=4 gateway=208.67.222.222 routing-table="WAN2 ROUTING" target-scope=11
add check-gateway=ping distance=1 gateway=208.67.222.222 routing-table="WAN3 ROUTING" target-scope=11
add check-gateway=ping distance=2 gateway=208.67.220.220 routing-table="WAN3 ROUTING" target-scope=11
add check-gateway=ping distance=3 gateway=8.8.8.8 routing-table="WAN3 ROUTING" target-scope=11
add check-gateway=ping distance=4 gateway=8.8.4.4 routing-table="WAN3 ROUTING" target-scope=11
add check-gateway=ping distance=1 gateway=208.67.220.220 routing-table="WAN4 ROUTING" target-scope=11
add check-gateway=ping distance=2 gateway=208.67.222.222 routing-table="WAN4 ROUTING" target-scope=11
add check-gateway=ping distance=3 gateway=8.8.4.4 routing-table="WAN4 ROUTING" target-scope=11
add check-gateway=ping distance=4 gateway=8.8.8.8 routing-table="WAN4 ROUTING" target-scope=11
add distance=1 dst-address=8.8.4.4/32 gateway=192.168.10.1 scope=10
add blackhole distance=20 dst-address=8.8.4.4/32
add distance=1 dst-address=8.8.8.8/32 gateway=192.168.20.1 scope=10
add blackhole distance=20 dst-address=8.8.8.8/32
add distance=1 dst-address=208.67.220.220/32 gateway=192.168.1.40 scope=10
add blackhole distance=20 dst-address=208.67.220.220/32
add distance=1 dst-address=208.67.222.222/32 gateway=192.168.1.30 scope=10
add blackhole distance=20 dst-address=208.67.222.222/32
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.30 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=11
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.1.40 pref-src="" routing-table=main scope=\
    30 suppress-hw-offload=no target-scope=11
add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=11
add check-gateway=ping disabled=no distance=4 dst-address=0.0.0.0/0 gateway=8.8.4.4 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=11
add disabled=no distance=1 dst-address=10.97.0.0/16 gateway=WIREGUARD pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=172.16.97.2/32 gateway=WIREGUARD pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.67.0.0/16 gateway=WIREGUARD pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
2

/export file=anynameyouwish ( minus router serial number, any public WANIP information, vpn keys, long dhcp lease lists )

3

Well… If your using Google or Cisco OpenDNS as your DoH provider… Those will go out the canary routes in your recursive routes.