doh server connect error network is unreachable

Emeran · July 23, 2020, 4:54pm

I tried to add a doh server and i found this error

DoH server connection error: network is unreachable

normis · July 24, 2020, 7:31am

You must use a DOH server that the router can reach
Ping from the router, see if the DOH address is available, or if the router actually has internet.

Emeran · July 24, 2020, 8:12am

The router has internet so i can ping 8.8.8.8 and different dns but this doh when i ping https://cloudflare-dns.com/dns-query says " error ping to -ip address expected "

normis · July 24, 2020, 8:15am

post full dns config please

eworm · July 24, 2020, 3:06pm

You should ping the host cloudflare-dns.com, not the url.

Emeran · July 25, 2020, 12:42pm

/ip dns
set allow-remote-requests=yes cache-size=8128KiB max-udp-packet-size=350
use-doh-server=https://dns.google/dns-query verify-doh-cert=yes
/ip dns static
add address=8.8.8.8 name=dns.google type=A
add address=8.8.4.4 name=dns.google type=A

and i did ping dns.google and it’s working

shafiqrahman · August 16, 2020, 11:46am

I have the same problem, specially after a power failure or a reboot. Sometimes its even preventing pppoe connection. My isp provides internet through pppoe. But, if I disbale to regular dns it starts working.

/ip dns
set allow-remote-requests=yes cache-max-ttl=2d use-doh-server=\
    https://dns.google/dns-query verify-doh-cert=yes
/ip dns static
add address=xxx.xxx.xx.x name=router.lan type=A
add address=8.8.8.8 name=dns.google type=A
add address=8.8.4.4 name=dns.google type=A

DarkNate · August 19, 2020, 2:09pm

I found a solution for the “doh server connect error network is unreachable” problem. I tested with both Google and Cloudflare DoH for over a month and this works well even with unstable PPPoE links.

Note 1: I have both IPv4 and IPv6 from my ISP1, so just remove the AAAA entry and IPv6 servers if you don’t have IPv6 connectivity.
Note 2: Theoretically, ROS is supposed to use the regular servers as the fallback if the DoH fails, but that never happens, you can use invalid DoH URL to test this, and ROS will never use the regular DNS servers as fallback.

Below is the solution

/ip dns
set allow-remote-requests=yes query-server-timeout=100ms query-total-timeout=5s
servers=8.8.8.8,1.1.1.1,2001:4860:4860::8888,2606:4700:4700::1111
use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes

/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com type=A
add address=104.16.249.249 name=cloudflare-dns.com type=A
add address=2606:4700:4700::1001 name=ipv6a.cloudflare-dns.com type=AAAA
add address=2606:4700:4700::1111 name=ipv6b.cloudflare-dns.com type=AAAA

This is for recursive routing failover. This will help ROS know if a link is truly dead or not.
Simply remove the second gateway and ISP2 marking add route if you have only a single ISP.

/ip route
add dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=to_ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-mark=to_ISP2 check-gateway=ping

add dst-address=104.16.248.249 gateway=pppoe-out1 scope=10
add dst-address=8.8.8.8 gateway=pppoe-out2 scope=10

add distance=1 gateway=104.16.248.249 routing-mark=to_ISP1 check-gateway=ping
add distance=2 gateway=8.8.8.8 routing-mark=to_ISP1 check-gateway=ping

add distance=1 gateway=8.8.8.8 routing-mark=to_ISP2 check-gateway=ping
add distance=2 gateway=104.16.248.249 routing-mark=to_ISP2 check-gateway=ping
###Don't forget to add regular default routes to each ISP###

However, these errors still show up when my ISP1 dies and ROS tries to switch over to ISP2. But the somehow, despite the errors, I could still surf the web etc without any problems through ISP2 with failover.

patrickmkt · August 30, 2020, 3:27pm

It would be nice to have the following backup when “DoH server connection error” is encountered:

secondary DoH server entry
revert to regular DNS server

The major internet outage this morning had my connection failed on cloudflare DoH. When I manually changed it to google DoH I got connectivity back. Same without DoH on my ISP DNS.

shafiqrahman · September 21, 2020, 7:23pm

@DarkNate , sorry for replying late, how do I find those expanded ip’s which are near me (lowest ping). For single isp with google server is the below example work?

/ip dns
set allow-remote-requests=yes query-server-timeout=100ms query-total-timeout=5s
servers=8.8.8.8,8.8.4.4,2001:4860:4860::8888,????:????:????::8844
use-doh-server=https://dns.google/dns-query verify-doh-cert=yes

/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com type=A
add address=104.16.249.249 name=cloudflare-dns.com type=A


/ip route
add dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=to_ISP1 check-gateway=ping
add dst-address=8.8.8.8 gateway=pppoe-out1 scope=10
add distance=1 gateway=8.8.8.8 routing-mark=to_ISP1 check-gateway=ping
add distance=2 gateway=8.8.4.4 routing-mark=to_ISP1 check-gateway=ping