At this very moment my hAP ac³ running DoH cannot resolve ssl.gstatic.com while being able to resolve everything else I’ve tried. I noticed this because few hours after enabling DoH my Gmail web interface told me I am offline. Is my 3rd time encountering this issue with this specific host name (ssl.gstatic.com) and I believe it is as weird as a bug.
nslookup
> google.com
Server: 10.xx.yy.1
Address: 10.xx.yy.1#53
Non-authoritative answer:
Name: google.com
Address: 142.250.187.110
> ssl.gstatic.com
;; connection timed out; no servers could be reached
> mail.com
Server: 10.xx.yy.1
Address: 10.xx.yy.1#53
Non-authoritative answer:
Name: mail.com
Address: 82.165.229.87
Before today I was using hap ac² running with v6.47.9. I tested DoH few months ago I experienced the same issue twice but I thought it is the router or the ROS version or my setup. Today I configured everything fresh. I know that if I stop DoH and enable it again it will resolve the issue. Flushing the DNS cache won’t help.
Here is my setup:
/ip dns static
add address=1.1.1.2 disabled=no name=security.cloudflare-dns.com
add address=1.0.0.2 disabled=no name=security.cloudflare-dns.com
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-concurrent-queries=100 max-concurrent-tcp-sessions=20 max-udp-packet-size=4096 \
query-server-timeout=2s query-total-timeout=10s servers="" use-doh-server=https://security.cloudflare-dns.com/dns-query verify-doh-cert=yes
There are no other DNS servers defined. And the necessary certificates are imported. I’ve exported 160 certificates from MacOS Catalina and imported them all.
I have 10 devices in the network and at least 5 of them are using Google services. I noticed this issue because I was not able to load my Gmail properly and I was not able to login into any Google services. Few months ago I had the same issue (http://forum.mikrotik.com/t/dns-server-not-returning-specific-a-record-may-be-dns-doh-bug/148058/1) with the same host name (ssl.gstatic.com). Back then it took me more than 3 hours to find out what the problem is.
I am not sure if there are other host names being somehow “stuck”. I was only able to notice the problem with ssl.gstatic.com.
Can someone give any ideas?
Update:
What is even more confusing is that opening terminal from the router via winbox and executing ping to ssl.gstati.com works. After flushing the dns cache and pinging back ssl.gstatic.com, the A record of it appears again in the dns cache. So it turns out that only the dns clients in the network are not being replied to.