Advanced notice: It is highly likely that Quad9 will drop support for DNS over HTTP (DoH) using the HTTP 1.1 protocol, Q1 2026.
We're moving in this direction because later versions of software used by Quad9 no longer support HTTP 1.1.
We will continue to support DoH via HTTP 1.2 and 1.3.
As well as providing ongoing bug fixes and security updates, this upgrade will allow us to explore support for DNS over QUIC (DoQ).
We're sharing with this important community because we understand that some versions of MikroTik software only support HTTP 1.1.
We have a particular concern for the Brazilian market where an order of magnitude more encrypted queries to our servers use HTTP 1.1. This when compared to volumes in other localities. An internal working hypothesis is that this is due to the prevalence of Customer Premises Equipment (CPE) using MikroTik's RouterOS in Brazil. If anyone can expand on this hypothesis or point to some other cause, we'd love to hear from you.
I get errors in the logs when using Quad9 as the DoH server which I assumed was due to this change. Not in front of the router to share the exact message right now.
It’s also noted in the documentation about Quad9:
Would like MikroTik to have HTTP/2 request support in a future RouterOS version.
As for the Brazilian issue I hope you get to the bottom of that soon.
Quad9 still supports HTTP 1.1 at this time, so whatever error you’re seeing, it’s not directly attributable to the subject of this post.
We do have support available at https://quad9.net/support/contact/. You could try asking about errors you’re seeing there, although as a small not for profit, we do what we can but we are significantly resource constrained.
Ah, that would point to another issue then. Thank you for offering up support. I’ll have a look into it in my next tinkering session and get in touch if I need assistance.
Unfortunately RouterOS has no built-in "automatic upgrades" mechanism, so when CPE are deployed to typical customers and the provider has not pre-configured them with some scheduled upgrade script, they will remain on the initial software forever. Even when MikroTik would add HTTP 1.2 to RouterOS, or maybe they have already done so, there is very little chance that this upgrade will ever reach those customers.
That became very clear when a vulnerability was found and exploited, that had been fixed quite some time before that.
But he is not mentioning HTTP/2, instead he mentions HTTP 1.2 and 1.3.
I do not use DoH, but does anyone know if the current stable release already supports HTTP 1.2 ?
I seem to remember that there was a change log entry for that.
Already tried that approach, but sadly got no response to the issue.
Cloudflare is stable here but not Quad9, the timeout seems very short or the connection gets broken.
We have communicated this to MikroTik on their support forum (Quad9 to drop support for HTTP 1.1 - #4 by Sc0tty), but there has not yet been an announcement by MikroTik as to when they will update their software to this more recent standard.
Another example. People seem to think the official way to contact Mikrotik is the forum. I don't know why this is. There is a "support" category on mikrotik.com that explains very accurately how to get in contact with Mikrotik. Posting to the community forum is not.
Note that a feature request often gets “closed with resolution done” without implementing the requested feature… I have had that several times, I made 8 feature requests so far an 7 have been closed, one is still “waiting for support” (created 2 months ago). Out of all of them, only one was implemented:
/ip settings set icmp-errors-use-inbound-interface-address=yes
Others, including popular requests like “implement IPsec VTI”, “improve /system logging” were closed without any real change even though there was a reply they were being considered.
The strange thing here is I don’t see many people asking for the feature. Most of the threads I look at are either saying make a container or some other work around. That isn’t a proper solution is it. More than likely to appease people with garbage old kit as normal. “ I have a thousand of these, how am I going to cope” Makes yer teeth ache!
Well, I don’t even use DNS over TLS. Why would I? It is a niche function. Some people have enabled it “because it is there”, but without real use for it.
I would rather prefer when MikroTik implemented DNSSEC validation in the resolver, that would be kind of useful. Or IPsec VTI, I have seen many many many more requests for that than for DNS over HTTP/2, still it hasn’t been implemented.
Still best of course would be when MikroTik ditched their resolver and used something like unbound, that already has the features.