NextDNS DoH continuous log error messages

RouterOS General
1

Hi!

I use paid subscription of NextDNS. Setup as official instructions of provider.

/tool fetch url=https://curl.se/ca/cacert.pem
/certificate import file-name=cacert.pem
/ip dns set servers=""
/ip dns static add name=dns.nextdns.io address=45.90.28.0 type=A
/ip dns static add name=dns.nextdns.io address=45.90.30.0 type=A
/ip dns static add name=dns.nextdns.io address=2a07:a8c0:: type=AAAA
/ip dns static add name=dns.nextdns.io address=2a07:a8c1:: type=AAAA
/ip dns set use-doh-server=“https://dns.nextdns.io/xxxxxx” verify-doh-cert=yes

I have been seeing error messages in log for a while. Not sure if it’s a ROS or NextDNS issue. Anyone else having same issues?

2

I also have NextDNS with the same configuration. The same error messages appear in the log files. However, it happens rather rarely.

3

same here … comes from time to time ¯_(ツ)_/¯

4

Third option: ISP issue.

5

Has anyone found a solution yet?

6

Mine has been getting slightly worse since 7.18 beta6, cloudflare though. Quad9 wasn’t useable I’ve not tried of late.

7

Could be, although I can't explain why pihole works fine with DoH either with cloudflare or quad9.

8

So will be good idea to open a ticket to Mikrotik?

9

Any news? Since updating to ROS 7.19.1, NextDNS notifications have been appearing more frequently. Are there any suggestions for DNS settings to improve this?

In the Logfile: DoH server connection error: Idle timeout - waiting data [ignoring repeated messages]

10

+1.

11

Since v7.19.1, it’s true that there are a lot of these messages…

This doesn’t happen with Cloudfare.

12

I’m testing now and hopeful, 7.20 for Quad9 was still bad, lets see what gives here…

Using Internal Certs

# 2025-06-04 10:18:33 by RouterOS 7.21_ab53
# software id =
#
# model = C52iG-5HaxD2HaxD
# serial number = 
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=250000KiB doh-max-concurrent-queries=200 doh-max-server-connections=6 \
    max-concurrent-queries=200 max-concurrent-tcp-sessions=40 use-doh-server=https://dns.quad9.net/dns-query verify-doh-cert=yes
/ip dns adlist
add url=https://raw.githubusercontent.com/hagezi/dns-blocklists/main/hosts/pro.txt
/ip dns static
add address=192.168.0.254 comment=defconf name=router.lan type=A
add address=9.9.9.9 name=dns.quad9.net type=A
add address=149.112.112.112 name=dns.quad9.net type=A
add address=1.1.1.1 disabled=yes name=cloudflare-dns.com type=A
add address=1.0.0.1 disabled=yes name=cloudflare-dns.com type=A
13

Has anyone tried to trust the built in certs & also disable CRL. On ros 7.19.1, this solved my issue. I already had trusted the built in certs when upgraded to 7.19.1, but didn’t disable CRL features. That’s what did it for me. Works with google, cloudflare & nextdns. Haven’t tried others. No errors in logs.

See CGGXANNX post here: http://forum.mikrotik.com/t/doh-broken-after-update-to-7-19/183870/1

/certificate/settings/set builtin-trust-anchors=trusted
/certificate/settings/set crl-use=no crl-download=no

Edited to add dns settings

                      servers: 1.1.1.2                      
                               1.0.0.2                      
              dynamic-servers:                              
               use-doh-server: https://dns.nextdns.io/e1614f
              verify-doh-cert: yes                          
   doh-max-server-connections: 100                          
   doh-max-concurrent-queries: 100                          
                  doh-timeout: 5s                           
        allow-remote-requests: yes                          
          max-udp-packet-size: 4096                         
         query-server-timeout: 2s                           
          query-total-timeout: 10s                          
       max-concurrent-queries: 200                          
  max-concurrent-tcp-sessions: 200                          
                   cache-size: 2048KiB                      
                cache-max-ttl: 1w                           
      address-list-extra-time: 0s
14

I am using built-in CA with these options and still see some errors in log using NextDNS. Somedays errors appear and somedays they do not appear

15

From the looks of your first post, you don’t have a standard DNS server set. Per Mikrotiks documentation, you need at least one legacy DNS server set. Set it to 1.1.1.1 or something

/ip dns set servers=1.1.1.1

16

Nope, no change.
I’ll take it at face value what Normis said that quad9 at least is changing over servers to HTTP/2 hence the failures

# 2025-06-04 22:03:41 by RouterOS 7.21_ab53
# software id = 
#
 2025-06-02 12:26:32 dns,error DoH server connection error: Network unreachable
 2025-06-02 12:26:32 dns,error DoH server connection error: Network unreachable [ignoring repeated messages]
 2025-06-02 12:26:32 dns,error [adlist] http client error: resolving error
 2025-06-02 16:50:10 dns,error DoH server connection error: Idle timeout - waiting data
 2025-06-02 16:50:12 dns,error DoH server connection error: Idle timeout - waiting data [ignoring repeated messages]
 2025-06-02 16:50:15 dns,error DoH server connection error: Idle timeout - connecting
 2025-06-02 16:50:17 dns,error DoH server connection error: Idle timeout - connecting [ignoring repeated messages]
 2025-06-02 16:50:28 dns,error DoH server connection error: Idle timeout - connecting
 2025-06-02 16:50:28 dns,error DoH server connection error: Idle timeout - connecting [ignoring repeated messages]
 2025-06-04 10:26:01 dns,warning DoH server response not OK: 502: no downstream server available
 2025-06-04 10:26:02 dns,warning DoH server response not OK: 502: no downstream server available [ignoring repeated messages]
 2025-06-04 11:44:40 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-06-04 18:04:36 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-06-04 18:58:49 dns,warning DoH server response not OK: 502: no downstream server available
 2025-06-04 18:58:50 dns,warning DoH server response not OK: 502: no downstream server available [ignoring repeated messages]
 2025-06-04 19:00:16 dns,warning DoH server response not OK: 502: no downstream server available
 2025-06-04 19:00:22 dns,warning DoH server response not OK: 502: no downstream server available [ignoring repeated messages]
 2025-06-04 19:12:06 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-06-04 19:51:43 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-06-04 20:11:06 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-06-04 20:27:25 dns,error DoH server connection error: remote disconnected while in HTTP exchange

If I use cloudflared with Pihole for example which is a HTTP/2 proxy ? I don’t see any issue with any DoH connections to any provider.
Quite how Cloudflare manages to seperate this compaired to quad9 I am at a loss.

17

Just read the DoH documentation. I thought that it wasn’t necessary if static entries were set. Will try.

So installation instructions in NextDNS are missing this step?

18

NextDNS instructions are fine. They tell you to unset any dns servers (/ip dns set servers=“”) and add static dns entries for their DNS servers. With ROS 7.19+ you can skip the certificate import step. Just make sure “/certificate/settings/set builtin-trust-anchors=trusted” is set.

So this is the adjusted version:

/certificate/settings/set builtin-trust-anchors=trusted
/ip dns set servers=""
/ip dns static add name=dns.nextdns.io address=45.90.28.0 type=A
/ip dns static add name=dns.nextdns.io address=45.90.30.0 type=A
/ip dns static add name=dns.nextdns.io address=2a07:a8c0:: type=AAAA
/ip dns static add name=dns.nextdns.io address=2a07:a8c1:: type=AAAA
/ip dns set use-doh-server=“https://dns.nextdns.io/xxxxxx” verify-doh-cert=yes
19

Thanks! This is just what I have. Seems that MTNick post above is wrong so.

20

you shouldn’t share this: e1614f, hope you changed your profile on nextdns:? Stay safe.