DoH Server Connection Error: "DoH server connection error: while reading - Connection reset by peer" - Help Needed

csurata · March 11, 2025, 8:05pm

I am encountering an issue with DNS over HTTPS (DoH) on my MikroTik router. The error I receive is:

DoH server connection error: while reading - Connection reset by peer
Additionally, when checking the logs, I see repeated DNS query failures and the MikroTik returning messages like “server failure” and “dns query failure”. Below is a relevant log snippet:

2025-03-11 12:14:36 dns,packet — got query from 192.168.88.14:19902:
2025-03-11 12:14:36 dns,packet id:e94e rd:1 tc:0 aa:0 qr:0 ra:0 QUERY ‘no error’
2025-03-11 12:14:36 dns,packet question: i.ytimg.com.:AAAA:IN
2025-03-11 12:14:36 dns query from 192.168.88.14: #6746 i.ytimg.com. AAAA
2025-03-11 12:14:36 dns,packet — got query from 192.168.88.14:40107:
2025-03-11 12:14:36 dns,packet id:aa36 rd:1 tc:0 aa:0 qr:0 ra:0 QUERY ‘no error’
2025-03-11 12:14:36 dns,packet question: i.ytimg.com.IN
2025-03-11 12:14:36 dns query from 192.168.88.14: #6747 i.ytimg.com. A
2025-03-11 12:14:36 dns,error DoH server connection error: while reading - Connection reset by peer
2025-03-11 12:14:36 dns done query: #6746 dns server failure
2025-03-11 12:14:36 dns,packet — sending reply to 192.168.88.14:19902:
2025-03-11 12:14:36 dns,packet id:e94e rd:1 tc:0 aa:0 qr:1 ra:1 QUERY ‘server failure’
2025-03-11 12:14:36 dns,packet question: i.ytimg.com.:AAAA:IN
2025-03-11 12:14:36 dns,error DoH server connection error: while reading - Connection reset by peer [ignoring repeated messages]
2025-03-11 12:14:36 dns done query: #6747 dns server failure
2025-03-11 12:14:36 dns,packet — sending reply to 192.168.88.14:40107:
2025-03-11 12:14:36 dns,packet id:aa36 rd:1 tc:0 aa:0 qr:1 ra:1 QUERY ‘server failure’
2025-03-11 12:14:36 dns,packet question: i.ytimg.com.IN
2025-03-11 12:14:36 dns,packet — got query from 192.168.88.14:58985:
The issue occurs approximately every 10 minutes, and the error consistently appears when using DoH.

Configuration:

MikroTik RouterOS v7.18.1 (Stable)
Uptime: 4d11h40m42s
DNS Configuration:

/ip dns print
servers: 2aXXXXXXX::XXXX
2aXX:XXXX:54::1b:XXXX

use-doh-server: https://XXX.cloudflare-gateway.com/dns-query
verify-doh-cert: yes
allow-remote-requests: yes
Zero Trust: Using Cloudflare’s Zero Trust free DoH service.

MikroTik Info:

/system routerboard print
uptime: 4d11h40m42s
version: 7.18.1 (stable)
build-time: 2025-02-28 11:31:28
factory-software: 7.5
free-memory: 647.6MiB
total-memory: 1024.0MiB
cpu: ARM64
cpu-count: 4
cpu-frequency: 864MHz
cpu-load: 0%
free-hdd-space: 90.1MiB
total-hdd-space: 128.0MiB
write-sect-since-reboot: 387745
write-sect-total: 22457471
bad-blocks: 0%
architecture-name: arm64
board-name: hAP ax^2
platform: MikroTik
What I have tried:

Checking if port 443 (HTTPS) is being blocked or filtered by the firewall.
Testing with other DoH servers (Cloudflare, Google, etc.).
Certificates are ok
Verifying DNS settings on MikroTik and confirming that DoH is configured correctly.
Question:

Has anyone encountered this issue before? Is there an additional configuration that may be blocking or causing issues with DoH connections? Any suggestions on how to resolve this problem?

csurata · March 16, 2025, 6:39pm

Summary: Forcing DNS-over-HTTPS (DoH) to Use IPv6 on MikroTik RouterOS v7.18

Issue:

Despite configuring DoH with IPv6, the MikroTik router continued to prioritize IPv4 for DNS queries, resulting in errors when connecting to Cloudflare via IPv4.

Solution:

To enforce IPv6 for DoH and bypass IPv4 limitations, follow these steps:

Static DNS Entries for DoH Server:

Add a static DNS entry to resolve the DoH server domain (e.g., cloudflare-dns.com) exclusively to its IPv6 address:

/ip dns static add name=cloudflare-dns.com address=2606:4700:4700::1111

This ensures the router never queries external DNS for the DoH domain, forcing IPv6.

Remove Traditional DNS Servers:

Clear all IPv4 DNS servers to prevent fallback:

/ip dns set servers="" allow-remote-requests=yes

Block IPv4 for DoH via Firewall:

Temporarily drop IPv4 traffic to the DoH server’s IPv4 addresses (e.g., Cloudflare’s 1.1.1.1):

/ip firewall filter add chain=output protocol=tcp dst-address=1.1.1.1 dst-port=443 action=drop comment="Block DoH IPv4"

This closes active IPv4 connections and forces the router to use IPv6.

Flush DNS Cache:

Clear cached entries to ensure fresh IPv6 resolutions:

/ip dns cache flush

Adjust Route Priorities:

Verifique no firewall IPv6 connection para certificar que as conexões IPv6 para o DNS estão acontecendo.
Verifique no firewall IPv4 connection para certificar que as conexões IPv4 para o DNS não estão acontecendo.

RouterOS v7+ deprecated the prefer-ipv6 setting. Route metrics and DNS configuration are now critical for prioritizing IPv6.

If issues persist, ensure your ISP provides stable IPv6 connectivity (e.g., via PPPoE).

This approach successfully bypassed unreliable IPv4 routes while enforcing IPv6 for secure DoH traffic.