DOH high priority than regular dns

VaMpIrEKiNg · April 17, 2023, 3:01am

when regular dns and doh dns are both set, the first responder is DoH DNS, How to change it priority?

normis · April 17, 2023, 5:11am

You can’t change that. If DoH is configured, regular DNS settings are ignored.

eworm · April 17, 2023, 6:10am

Which is fine that way.
Really annoying is the fact that FWD entries for specific forwarding are ineffective as soon as DoH is enabled. Any chance to change that?

VaMpIrEKiNg · April 19, 2023, 6:32am

In other words, doh cannot be used as a backup dns server(second dns server)?

eworm · April 19, 2023, 6:46am

No.

zBear · July 21, 2024, 12:31pm

I have a similar question but a little bit different.
If DoH is configured and a regular DNS is also set, in case the DoH becomes unresponsive or the certificate expires, will the regular DNS be used by ROS as a backup?

Was reading some setup recommendations in this topic but I’m not sure that ROS is even working this way

Sidewalker · September 9, 2024, 10:52am

you have no DNS at all. In the current RouterOS, DoH even doesn’t not have to become responsive.
(And for the case when your DoH service address is in the domain-name form, regular non-DoH DNS entries are used until RouterOS has resolved DoH DNS server’s name into IP [at some regular DNS you’ve manually set up {static or dynamic} for the DNS settings, like your ISP’s one or your DoH service provider’s regular one]).
Kindly see the Help page updated with a Tip.

Highly likely the answer is the same. You’ll be locked out of DNS service, and so will be your router’s clients. (But it would be nice of MikroTik to clarify officially instead of this speculation).

(By the way, don’t even think of reflecting on cases where ISP requires PPPoE/PPTP/L2TP-client and provides the PPP server name in the domain form, you don’t want to become disappointed that those customers are deprived of MikroTik’s DoH feature. Hopefully this will be addressed in a future RouterOS release, like by checking for DoH server connection establishment before switching to it. And maybe implementing the option [ ] Allow fallback to unsecure DNS if can’t resolve throught DoH by any reason.).

jdub88 · September 10, 2024, 8:09am

Would love to see a bit more flexibility with DoH in a future release.

Being able to specify more than 1 endpoint
Being able to have a DoH per VLAN/subnet

michalama · September 11, 2024, 2:52pm

you could not change this

Sidewalker · October 29, 2024, 12:32pm

A crutch for that case until MikroTik fixes DoH:

System – Scheduler – add

Name: OnEveryRebootDuckTapeDohForPPP
Start-time: startup
Policy: read, write, sensitive
On Event:

:delay 60s;
:if ([ /interface l2tp-client get [find connect-to~"Providers.L2TPdomain"] running] = false) do={
:log info "DoH Delay Script entered Do"
/ip dns static remove [find name~"Providers.L2TPdomain"];
/ip dns set servers=XXX.XXX.XXX.XXX,YYY.YYY.YYY.YYY use-doh-server="" verify-doh-cert=no;
:do { /ip dns static add address=[:resolve Providers.L2TPdomain] name=Providers.L2TPdomain } on-error={ :log error "Resolver in my script failed"};
:while ([ /interface l2tp-client get [find connect-to~"Providers.L2TPdomain"] running] = false) do={ :delay 1s };
/ip dns set servers=DOH.DOH.DOH.DOH,DOH.DOH.DOH.DOH use-doh-server=https://doh.doh.doh/doh verify-doh-cert=yes;}
:log info "DoH Delay Script Ended"