Problem with DoH

RouterOS Beginner Basics
1

Hello, i don’t know if this should be in Beginner Basics or General but one thing for sure is that i’m new to networking in general so bear with me, (the model i have is hAP ac^2 with default configuration, updated to v6.47.2)

So, i’m trying to get DoH working to avoid ISP from manipulating My DNS requests but even after doing what normis said in here http://forum.mikrotik.com/t/dns-over-https/138774/1
i keep getting filtered/redirected to ISP’s website full of ads its as if my DNS request have been looked at and modified yet they managed to bypass the DoH Cert verification.. (the website i’m trying to connect is https)

I’ve tried to delete all certification and import the certification again,
I’ve tried to create firewall nat by using something called dstnat in case ISP intercepting port 53 UDP to port other than 53 to OpenDNS port 443 (this is not something i found on mikrotik forum so i’m not sure if this even works),
and i also tried flushing DNS cache both in RouterOS and Windows every time i change something in RouterOS but to no avail..

I’m very confused right now, how can this happen? isn’t the point of DNS-over-HTTPS is to make sure theres no Man-in-the-middle? i tried to look at Torch but i have no idea whats going on there even after i look only the IP that is currently used by My Computer, i need pointers on how to identify the problem with DoH (i don’t know how to check if DoH is actually working)

2

If you configured Cloudflare DoH then check here:
https://1.1.1.1/help

3

I know 1.1.1.1/help and ESNI Checker (both says i’m safe but no its not, the DNS wall is still there), i’m curious if theres a way to check DoH in Winbox?

Another question, is “Flush DNS” enough to remove DNS Cache? i’m suspecting that DNS Caching is the culprit

4

Redo the config again like this (Remove IPv6 addresses if you don’t have IPv6 connectivity):

/ip dns
set allow-remote-requests=yes max-concurrent-queries=80 query-server-timeout=100ms query-total-timeout=5s servers=\
    1.1.1.1,8.8.8.8,2001:4860:4860::8888,2606:4700:4700::1111\
    use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com type=A
add address=104.16.249.249 name=cloudflare-dns.com type=A
add address=2606:4700:4700::1001 name=ipv6a.cloudflare-dns.com type=AAAA
add address=2606:4700:4700::1111 name=ipv6b.cloudflare-dns.com type=AAAA

Cloudflare refuses concurrent-queries greater than 80 or so for unknown reasons: http://forum.mikrotik.com/t/doh-max-concurrent-queries-reached/141097/1

Manually download the latest CA file and import it: https://curl.haxx.se/docs/caextract.html
Don’t forget to delete all existing certs and CRLs. I don’t know why, but manual import fixed connection issues for me.

And finally, flush the DNC cache in the router and your client devices. Or just reboot everything and they’ll be cleared anyway.