I’m using RouterOS v7.8 on a RB750Gr3 revision r4.
I have a DNS setup where I use a static mapping of some of my network components with A records, and also the following FWD one so that I can resolve the container addresses on LXD. The LXD host is 10.246.119.1.
Regexp / Type / Value
.*\.lxd$ FWD 10.246.119.1
So, if I ask the Mikrotik router for test.lxd, I get the correct DNS answer of 10.246.119.whatever.
This setup works correctly until I enable DNS over HTTPS. It seems that enabling it does not honor the static FWD entries. It works though with A entries with regular expressions, but it ignores FWD entries. I cannot tell if it’s trying to perform a DoH request to the LXD host.
Is that an undesired effect, or is it expected and following the protocol? Is there a solution, besides disabling DoH?
What I mean is that if you use a DoH server, which by itself is designed to make only secure requests,
it is normal that the request can not be delegated/forwarded to another general server.
The DoH is not born to get circumvented on this way, if something is doed about delegate to unsecurred standard dns server, probably this go out of the specs.
I can easily see the case that someone deploys a network with a DoH resolver by default and wants to forward requests to an Active Directory domain to the AD/SMB server. Or, like in my case, to have a host of containers with its own private network and a resolver for the container addresses so that any computer on the LAN can get its address from.
DoH is working from the router to the DoH server, but in the LAN the requests are done by plain DNS port 53 to the router. So, all hosts in the network are by default subject to MitM attacks from another computer in the network, even if configuring DoH on the router. The only way that a client would be secured in the LAN is if it configures its own DoH resolver manually, as there is not any DHCP option to send the client leases with DoH options (AFAIK).
I would love this FWD feature to work, as I just do not want third eyes eavesdropping my traffic at ISP level. And it would also be very nice if we could set a specific DoH resolver to a DHCP network, so we can have different DoH resolvers depending on the client VLAN. I’m thinking about the three dns0.eu resolvers, so I could use the most restrictive one to the guest network.
DoH was designed to avoid any instances of interference, so talking about DoH being provided via DHCP makes absolutely no sense.
The DoH must be specified in the application, not at the NIC/driver/OS level, otherwise DHCP (or an attack) could deliver a corrupt DoH server, etc.
Regarding the forward, if you tell the routerboard to use a secure server, only itself or a certified server can give answers.
Delegating these responses to something else (especially without a certificate issued by trusted authorities, and not “self-signed”) makes no sense.
I'm not following this all-or-nothing logic. I want to use a public DoH for almost everything, but my local DNS for specific (regexp-matched), local domains.
I hope Mikrotik will revisit this idea. After all they do say "Currently, DoH is not compatible with FWD-type static entries..."
It has been that way since DoH and FWD (one of them was just one release ahead iirc) were introduced. I noticed this a lot of times in release threads and other topics. Not sure I had an issue about it. Nothing has changed since then.
I fully agree that DoH should have been implemented as “just another external resolver” that you can combine with normal resolvers, static records, FWD etc.
The RouterOS DNS resolver would get the query, and first look it up in local cache, local records, forward when indicated, and only when it needs to consult an external resolver it would see the DoH config and use that.
But it has not been implemented like that.
And of course, when you really need to use DoH or DoT it should be done from the APPLICATION needing DNS (e.g. the browser), not some service in either the client computer or the router. That mostly makes it useless.
And of course, DoH and DoT are not compatible with split DNS. When you still have local DNS services that serve your own local space you will be slowly getting more and more trouble in the changing world of internet, cloud applications, etc.
DoH is just used between mikrotik and Internet, not everywhere.
So I don’t see any logical answer why it can’t be combined with FWD unless it’s internal architecture limitation.
It would be nice to have answer from Mikrotik will this be fixed in the future.
I do not get your argumentation, rextended. What we want is split horizon for DNS, with DoH from upstream. This is not a problem if the delegated name server is in local (trusted) network or available via VPN. So why deny this configuration?
RouterOS is about flexibility. A lot of things can be configured wrong or bad or insecure or whatever. But it is up to the system/network administrator, and things can be still valid and usable when done right.
I just wanted to chime in and say that I just discovered this is why I couldn’t resolve DNS across VPN tunnels. Is there a feature request to enable local/regexp DNS when DoH is enabled?
Update: I submitted a feature request for this last week and today Mikrotik replied that if enough people asked for it they would investigate including it in a future release. So everyone please submit a feature request!
