Thanks, Mikrotik, for this video: https://youtu.be/w4erB0VzyIE (Encrypt your DNS requests with MikroTik) I followed the steps and it works perfectly.
Now I wonder how to setup pihole in between to have DNS request filtered by pihole first, and then send by DoH to NextDNS. Please, can anyone help me with set this up? What should I use? Some NAT rules? Thanks.
You can either let Pi-hole do it (https://docs.pi-hole.net/guides/dns/cloudflared/), or if you’d want to use router’s DoH, it would be possible too, but only if clients won’t be using its DNS cache (which you may or may not want, depending on how exactly your Pi-hole fits in).
To avoid sending DNS requests back and forth, it would be more logical to have your RouterOS device hand our PiHole IP address as the DNS address via DHCP and then let PiHole do everything, filtering and DoH.
True, it’s more logical. But then clients depend on Pi-hole and if it happens to not work for any reason, nothing works for clients (at least it seems that way to them). If everything goes to router, it can be easily and automatically (using Netwatch of scheduled script) redirected to somewhere else if needed. So it’s not entirely bad.
That is ideal scenario, but I cannot set up piholes custom upstream. Any custom IP not work - DNS queries are go out, but nothing is loading back, i guess it is a firewall related problem - details are here.
It is exactly how I set it up.
I set my Mk router IP in its own DHCP server, and my pi-hole machine IP in the MK’s DNS setting. If my pihole machine goes down, the DNS IPs switches to 1.1.1.1 and 1.1.1.2. Of course a scheduler script checks regularly if pihole is up and running. The DoH stuff is managed by pihole itself.
Moreover, I set two NAT rules for dns query redirection.