Community discussions

MikroTik App
 
souravmaiti
just joined
Topic Author
Posts: 2
Joined: Wed Apr 22, 2020 9:06 am

DNS over HTTPS

Wed Apr 22, 2020 9:10 am

Mikrotik 6.47 has been introduced long awaited DoH.
But when I put any DoH server (for example https://cloudflare-dns.com/dns-query ) it gives error
DoH Connection Error, Idle Timeout.

Any clue ?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24756
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Wed Apr 22, 2020 9:25 am

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""
No answer to your question? How to write posts
 
souravmaiti
just joined
Topic Author
Posts: 2
Joined: Wed Apr 22, 2020 9:06 am

Re: DNS over HTTPS

Wed Apr 22, 2020 11:21 am

Any guide for Google DoH settings ?
 
msatter
Forum Guru
Forum Guru
Posts: 1984
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Wed Apr 22, 2020 11:24 am

For Google you still a first resolve through a normal DNS or it will not know how to reach the DOH of Google. Cloudflare used a trick to by putting 1.1.1.1 as alternative name in their certificate.
Last edited by msatter on Wed Apr 22, 2020 11:26 am, edited 1 time in total.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.48beta58 / Winbox 3.27 64bits / MikroTik APP 1.3.15
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 724
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: DNS over HTTPS

Wed Apr 22, 2020 11:26 am

Do the same, but with different url: https://8.8.8.8/dns-query
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 724
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: DNS over HTTPS

Wed Apr 22, 2020 11:32 am

Uh, google does a redirect there... So use this:
/ip dns static add address=8.8.8.8 name=dns.google
/ip dns static add address=8.8.4.4 name=dns.google
/ip dns set use-doh-server=https://dns.google/dns-query verify-doh-cert=yes
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24756
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Wed Apr 22, 2020 11:45 am

He either should turn off the certificate check, or find google certificates.
Also it's not correct to use DNS name in the DNS server address
No answer to your question? How to write posts
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 724
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: DNS over HTTPS

Wed Apr 22, 2020 11:57 am

The file you linked includes the certificates required for google services, no?
So my commands were intended on top of yours.

I think it's not possible to use google DoH without DNS name in url. Or do you have a working one with ip address?
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1842
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: DNS over HTTPS

Wed Apr 22, 2020 12:20 pm

I just added this to Use Doh Server
https://1.1.1.1/dns-query
I think its better to use IP only, so you do not need extra DNS server, to just resolve the DoH server
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 724
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: DNS over HTTPS

Wed Apr 22, 2020 1:21 pm

Yes, that's true in general and for Cloudflare. But google does not allow to use https://8.8.8.8/dns-query directly. It sends a redirect in HTTP header to https://dns.google/dns-query.

Well, checking again... It does send a redirect, but the dns response is contained as well...
% curl -I 'https://8.8.8.8/dns-query?dns=AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE'
HTTP/2 301 
location: https://dns.google/dns-query?dns=AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE
content-type: text/html; charset=UTF-8
x-content-type-options: nosniff
date: Wed, 22 Apr 2020 08:29:24 GMT
expires: Thu, 23 Apr 2020 08:29:24 GMT
server: sffe
content-length: 269
x-xss-protection: 0
cache-control: public, max-age=86400
age: 6656
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,h3-T050=":443"; ma=2592000
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
msatter
Forum Guru
Forum Guru
Posts: 1984
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Wed Apr 22, 2020 1:57 pm

Uh, google does a redirect there... So use this:
/ip dns static add address=8.8.8.8 name=dns.google
/ip dns static add address=8.8.4.4 name=dns.google
/ip dns set use-doh-server=https://dns.google/dns-query verify-doh-cert=yes
Maybe this can be combined to a bootstrap IP. Also adding the direct IP in the DOH setting used only (once) to bootstrap the DoH. No need for static then.

Leaves the problem with the certificate not being retrieved on it own.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.48beta58 / Winbox 3.27 64bits / MikroTik APP 1.3.15
 
sohel07
just joined
Posts: 14
Joined: Sun Oct 20, 2019 11:26 pm

Re: DNS over HTTPS

Sat May 23, 2020 7:09 pm

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""
But I unable to access the internet until I set a DNS.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5766
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS over HTTPS

Sat May 23, 2020 7:22 pm

Okay after some reading my questions boil down to
Q. Advantage of MT router implementation over simply using firefox?
- it covers any browser being used?

Why not make Doh, part of the default setup for routers coming from the factory??

Right now for dynamic servers I have listed in order 1.1.1.1, 1.0.0.1, 9.9.9.9
Do I have to remove th third entry 9.9.9.9 (will it eff up the plan)?

There is no such entry as /IP system NTP client.
(System is a separate entry and what it has is an SNTP client which I use to provide time.).

Okay so maybe I am missing a NTP package? Do I need it or can I use the sntp module??

Okay So I loaded the NTP package. Do I keep the current sntp setup (designed for time only) assuming this NTP setup is for DoH??
Last edited by anav on Sat May 23, 2020 8:35 pm, edited 1 time in total.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
vortex
Forum Guru
Forum Guru
Posts: 1097
Joined: Sat Feb 16, 2013 6:10 pm

Re: DNS over HTTPS

Sat May 23, 2020 8:09 pm

How could it be the default if you don't know which service you can trust?
 
dave864
newbie
Posts: 48
Joined: Fri Mar 11, 2016 2:37 pm

Re: DNS over HTTPS

Sun May 24, 2020 5:11 pm

This is great news.
Does anyone know the url to fetch the google cert?
 
foolbaby
just joined
Posts: 12
Joined: Sun Feb 07, 2010 5:02 pm

Re: DNS over HTTPS

Tue May 26, 2020 2:04 pm

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""
thanks, its work but sometimes it gives error :
15:28:41 dns,error DoH server connection error: remote disconnected while in HTTP exchange
15:29:37 dns,error DoH server connection error: SSL: std failure: timeout (13)
15:29:42 dns,error DoH server connection error: SSL: handshake timed out (6)
15:29:42 dns,error DoH server connection error: SSL: internal error (6)
15:29:42 dns,error DoH server connection error: Idle timeout - connecting
17:52:53 dns,error DoH server connection error: Idle timeout - waiting data

i hope DoH gets better in the next release
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24756
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Tue May 26, 2020 2:47 pm

can you ping the DoH server?
No answer to your question? How to write posts
 
foolbaby
just joined
Posts: 12
Joined: Sun Feb 07, 2010 5:02 pm

Re: DNS over HTTPS

Tue May 26, 2020 2:50 pm

can you ping the DoH server?
yes it can ping.
but its happen sometimes . its just new setup. still on monitoring.
 
TheDoctor
just joined
Posts: 4
Joined: Wed Dec 18, 2019 10:52 am

Re: DNS over HTTPS

Tue May 26, 2020 7:28 pm

/ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes

expected end of command (line 1 column 12)

is there any solution, please, for 6.46.6 ?
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 724
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: DNS over HTTPS

Tue May 26, 2020 8:06 pm

This is not supposed in 6.46.6. You have to use 6.47 for that feature.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1842
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: DNS over HTTPS

Tue May 26, 2020 8:48 pm

And 6.47 is still in testing :)
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
foolbaby
just joined
Posts: 12
Joined: Sun Feb 07, 2010 5:02 pm

Re: DNS over HTTPS

Tue May 26, 2020 9:11 pm

can you ping the DoH server?
maybe this is the problem.
or maybe my router is to old :D lol
the cpu gets down when i disable the nat for transparent dns.
and what is the meaning of this warning logs ?
may/27 01:04:34 dns,warning DoH max concurrent queries reached, ignoring query 
You do not have the required permissions to view the files attached to this post.
 
TheDoctor
just joined
Posts: 4
Joined: Wed Dec 18, 2019 10:52 am

Re: DNS over HTTPS

Tue May 26, 2020 9:52 pm

And 6.47 is still in testing :)

is it possible to talk about some release dates according to 6.47 or it is extremely premature ?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1842
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: DNS over HTTPS

Tue May 26, 2020 10:00 pm

6.47 RC was just released over here: viewtopic.php?f=21&t=161583
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
shunkica
just joined
Posts: 22
Joined: Sat Mar 03, 2018 2:19 pm

Re: DNS over HTTPS

Sun Jun 07, 2020 10:02 am

How can I use multiple DoH servers in case first one is unreachable?
Why does it not fall back to DNS servers if the DoH server is unreachable?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1842
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: DNS over HTTPS

Sun Jun 07, 2020 5:18 pm

We did have a discussion about that over here: viewtopic.php?p=798678#p798678

I have added a second DoH server. Did not find out how/where to get the certificate for it, so it will use Cloud Flare with certificate and google without.
:local result yes
:do {tool fetch url="https://1.1.1.1/dns-query\?name=mikrotik.ca%26type=A" output=file dst-path=result \
    http-header-field=accept:application/dns-json} on-error={:set result no}
:if $result do={
  /ip dns set servers="" use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
} else={
  /ip dns set allow-remote-requests=yes servers=8.8.8.8 use-doh-server=https://dns.google/dns-query verify-doh-cert=no
}
PS google needs to use DNS name in URL to work, so 8.8.8.8 is added. It will not be used for other clients,
Mikrotik should add a possibility for multiple DoH and/or fallback to old/normal DNS reques.t
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
sindy
Forum Guru
Forum Guru
Posts: 6334
Joined: Mon Dec 04, 2017 9:19 pm

Re: DNS over HTTPS

Sun Jun 07, 2020 5:42 pm

PS google needs to use DNS name in URL to work, so 8.8.8.8 is added. It will not be used for other clients
I am afraid of frying my router's flash, so I don't run 6.47 yet; do static entries have precedence over DoH? If yes, I'd rather use

/ip dns static
add name=dns.google address=8.8.8.8
add name=dns.google address=8.8.4.4


than

/ip dns set servers=8.8.8.8,8.8.4.4
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
msatter
Forum Guru
Forum Guru
Posts: 1984
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Sun Jun 07, 2020 6:47 pm

No, except for FWD.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.48beta58 / Winbox 3.27 64bits / MikroTik APP 1.3.15
 
Sob
Forum Guru
Forum Guru
Posts: 6303
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS over HTTPS

Sun Jun 07, 2020 8:02 pm

I think you meant "Yes, except for FWD". Static entries are still preferred with DoH, except FWDs, those are currently ignored. There are also other differences but they don't affect @sindy's use case.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1842
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: DNS over HTTPS

Sun Jun 07, 2020 8:09 pm

do static entries have precedence over DoH? If yes, I'd rather use
I can confirm that it is. And agree that a static entry is a better solution.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
msatter
Forum Guru
Forum Guru
Posts: 1984
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Sun Jun 07, 2020 10:02 pm

I think you meant "Yes, except for FWD". Static entries are still preferred with DoH, except FWDs, those are currently ignored. There are also other differences but they don't affect @sindy's use case.
I had this posting in my memory: viewtopic.php?f=21&t=161583#p795962
And some where I picked up that FWD was an exception.

But then I won't touch DoH again, even with a long poke. ;-) It is just a dream for the big firms collecting information come true, people just (want to) don't see that.

You can argue that are free to choose a more private aware DNS servers but 99% will use Google and Cloudflare in the end....sounds of popping champagne bottles in the background.

That is why I am not happy with Mikrotik implementing it after bring pressured to do that by many post here asking for it. :?

Use unbound or Knot resolver through a VPN tunnel. DoH gives you a false security.

This does not mean DoH has not a place. It has a place in countries that don't allow unchanged DNS usage and VPN. DNS is even sabotaged by returning the wrong root servers IP addresses as Sky UK did or still is doing. Breaking resolving by yourself.

Sadly there are to many people that not aware how we are watched all the time. It is a step back instead of being a step forward in privacy.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.48beta58 / Winbox 3.27 64bits / MikroTik APP 1.3.15
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1842
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: DNS over HTTPS

Sun Jun 07, 2020 10:19 pm

You can argue that are free to choose a more private aware DNS servers but 99% will use Google and Cloudflare in the end....sounds of popping champagne bottles in the background.
I was in Turkey last year, and there Wikipedia was blocked used DNS block. DoH agent om my PC solved this fine. Also I do not like that my ISP or governmental can spy on my traffic.

Running DoH on MikroTik since first beta, and I have nothing negative to say about it. It resolves all my requests :)
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
msatter
Forum Guru
Forum Guru
Posts: 1984
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Sun Jun 07, 2020 11:10 pm

You can argue that are free to choose a more private aware DNS servers but 99% will use Google and Cloudflare in the end....sounds of popping champagne bottles in the background.
I was in Turkey last year, and there Wikipedia was blocked used DNS block. DoH agent om my PC solved this fine. Also I do not like that my ISP or governmental can spy on my traffic.

Running DoH on MikroTik since first beta, and I have nothing negative to say about it. It resolves all my requests :)
And I referred in my posting the DoH has right to exist but not for daily/constant usage. If you live in Turkey or China or any other totalitarian county then you have my blessing.

It like saying McDonalds is healthy, because you order a salad with you burger and sugary drink.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.48beta58 / Winbox 3.27 64bits / MikroTik APP 1.3.15
 
Sob
Forum Guru
Forum Guru
Posts: 6303
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS over HTTPS

Sun Jun 07, 2020 11:35 pm

It's a tool like any other. A hammer can be used to hit a nail or someone's head, it's everyone's choice, but you don't blame the hammer. Same with DoH, you can use different public servers or run your own. If you're affraid of Google and friends, you probably shouldn't use their servers.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1842
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: DNS over HTTPS

Sun Jun 07, 2020 11:37 pm

It like saying McDonalds is healthy, because you order a salad with you burger and sugary drink.
And if you connect to the "free" Wifi in McDonald, the they can spy on all your DNS requests to see what the clients surf on when thy are there. A VPN is a better solution, but just shows that any can spy on you.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5766
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS over HTTPS

Sun Jun 07, 2020 11:57 pm

I am getting hungry!

PS, I will implement DoH in honour of homer simpson and if Jotne can convince me that there is no loss in performance and my internet traffic is better concealed from the scammers of commercialism and the dictatorships of secret police be they chinese, russian, american or north korean LOL.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1842
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: DNS over HTTPS

Mon Jun 08, 2020 12:05 am

Best is to remove internet complete, than your are a lot more secure. :)
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5766
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS over HTTPS

Mon Jun 08, 2020 12:29 am

Best is to remove internet complete, than your are a lot more secure. :)
Not true, just facebook, instagram, snapchat, twitter and tik tok.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
msatter
Forum Guru
Forum Guru
Posts: 1984
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Mon Jun 08, 2020 12:56 am

It's a tool like any other. A hammer can be used to hit a nail or someone's head, it's everyone's choice, but you don't blame the hammer. Same with DoH, you can use different public servers or run your own. If you're affraid of Google and friends, you probably shouldn't use their servers.
The nail has the choice which side to sink in, head or wood. Though one. With a hamer the direction to go, is clear.

VPN is also a trust you have in the provider you have chosen. Running your own resolver is easy these days and you have still only choose wich taste you want.

Encypting the connection for a tiny amount of traffic is time consuming, so reusing the already encrypted connection is speeding up things if resolve requests are many.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.48beta58 / Winbox 3.27 64bits / MikroTik APP 1.3.15
 
BlackFate
newbie
Posts: 27
Joined: Fri Aug 10, 2012 2:22 pm

Re: DNS over HTTPS

Mon Jun 08, 2020 1:24 am

Not sure why Mikrotik never implimeneted DoT and went for DoH. Routers are tools to implement and include to network designs. It makes absolutely no sense to pick DoH over DoT in routers. Leave DoH for the browsers :)
Mikrotik should be promoting good network practices, not the latest gimmic because some overexcited teenager requested it in a forum post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5766
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS over HTTPS

Mon Jun 08, 2020 2:24 am

Probably because it was easier?
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
msatter
Forum Guru
Forum Guru
Posts: 1984
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Mon Jun 08, 2020 3:14 pm

I have to apologize for calling hamburges with McDonalds unhealty.

Eating one McDonalds hamburger yourself does not mean that all McDonalds hamburger are unhealthy also.



Just trying to be inculsive. ;-)
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.48beta58 / Winbox 3.27 64bits / MikroTik APP 1.3.15
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5766
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS over HTTPS

Mon Jun 08, 2020 4:34 pm

Its called JUNK food for a reason. ;-)
You were right the first time.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5766
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS over HTTPS

Mon Jun 08, 2020 4:34 pm

If one is predisposed to eating at McD as a primary food source, I will help you in assisted ..............., for a lot less $$ and a lot quicker (no suffering for those last 10-20 years).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
shunkica
just joined
Posts: 22
Joined: Sat Mar 03, 2018 2:19 pm

Re: DNS over HTTPS

Wed Jun 10, 2020 2:35 am

I have added a second DoH server. Did not find out how/where to get the certificate for it, so it will use Cloud Flare with certificate and google without.
What do you mean? How did you add a second DoH server?
If you mean the script you posted that is not adding a second DoH server. It is just replacing the one DoH server :)

This contains GlobalSign Root CA - R2, among others, which is what dns.google uses: https://curl.haxx.se/ca/cacert.pem
 
sindy
Forum Guru
Forum Guru
Posts: 6334
Joined: Mon Dec 04, 2017 9:19 pm

Re: DNS over HTTPS

Wed Jun 10, 2020 8:35 am

If you mean the script you posted that is not adding a second DoH server. It is just replacing the one DoH server :)
It depends on the point if view. As the script monitors the responsiveness of the primary server and replaces it in the configuration by the secondary one whenever it stops responding, and puts back the primary one once it starts responding again, it can be seen as "adding a second one". Yes, it modifies configuration (so writes to flash), yes, it has to be spawned quite often to be useful (so it wastes some CPU), but it serves the purpose.

And there is a minor mistake in it which I've noticed later, there should be a plain & at the place of the %26. Minor because the server does respond (so the monitoring goal is met) but provides no Answer section with the %26 in place.

What is worse is that the Cloudflare does respond whereas Google returns 400 Bad Request (even with the &).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1842
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: DNS over HTTPS

Wed Jun 10, 2020 10:06 am

What do you mean? How did you add a second DoH server?
Just as Sindy writes. Using a fail-over script to a second server.
What can also be done, is to setup three routes. One with two DNS points to the two other. Then the two other running each own DoH.
Will test the google cert
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1842
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: DNS over HTTPS

Wed Jun 10, 2020 10:18 am

This contains GlobalSign Root CA - R2, among others, which is what dns.google uses: https://curl.haxx.se/ca/cacert.pem
This worked, but installed 137 Certificates :-o
Do I need all? Can I see what is use?
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
TheSirStumfy
Frequent Visitor
Frequent Visitor
Posts: 83
Joined: Sun Oct 14, 2018 7:54 pm

Re: DNS over HTTPS

Wed Jun 10, 2020 10:59 am

You only need the root certificate of the service you want to use.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1842
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: DNS over HTTPS

Wed Jun 10, 2020 11:11 am

And from this list what is the root certificate needed for DoH to work?
 1       T cacert.pem_0         GlobalSign Root CA                                                                      ebd41040e4bb3ec742c9e38...
 2  L    T cacert.pem_1         GlobalSign                                                                              ca42dd41745fd0b81eb9023...
 3       T cacert.pem_2         VeriSign Class 3 Public...                                                              eb04cf5eb1f39afa762f2bb...
 4       T cacert.pem_3         Entrust.net Certificati...                                                              6dc47172e01cbcb0bf62580...
 5       T cacert.pem_4         Baltimore CyberTrust Root                                                               16af57a9f676b0ab126095a...
 6      ET cacert.pem_5         AddTrust External CA Root                                                               687fa451382278fff0c8b11...
 7       T cacert.pem_6         Entrust Root Certificat...                                                              73c176434f1bc6d5adf45b0...
 8       T cacert.pem_7         GeoTrust Global CA                                                                      ff856a2d251dcd88d36656f...
 9       T cacert.pem_8         GeoTrust Universal CA                                                                   a0459b9f63b22559f5fa5d4...
10       T cacert.pem_9         GeoTrust Universal CA 2                                                                 a0234f3bc8527ca5628eec8...
11  L    T cacert.pem_10        AAA Certificate Services                                                                d7a7a0fb5d7e2731d771e94...
12       T cacert.pem_11        QuoVadis Root Certifica...                                                              a45ede3bbbf09c8ae15c72e...
13       T cacert.pem_12        QuoVadis Root CA 2                                                                      85a0dd7dd720adb7ff05f83...
14       T cacert.pem_13        QuoVadis Root CA 3                                                                      18f1fc7f205df8adddeb7fe...
15       T cacert.pem_14                                                                                                e75e72ed9f560eec6eb4800...
16       T cacert.pem_15        Sonera Class2 CA                                                                        7908b40314c138100b518d0...
17  L    T cacert.pem_16        XRamp Global Certificat...                                                              cecddc905099d8dadfc5b1d...
18       T cacert.pem_17                                                                                                c3846bf24b9e93ca64274c0...
19       T cacert.pem_18                                                                                                1465fa205397b876faa6f0a...
20       T cacert.pem_19                                                                                                7600295eefe85b9e1fd624d...
21       T cacert.pem_20        DigiCert Assured ID Roo...                                                              3e9099b5015e8f486c00bce...
22       T cacert.pem_21        DigiCert High Assurance...                                                              7431e5f4c3c1ce4690774f0...
23       T cacert.pem_22        DST Root CA X3                                                                          0687260331a72403d909f10...
24       T cacert.pem_23        SwissSign Gold CA - G2                                                                  62dd0be9b9f50a163ea0f8e...
25       T cacert.pem_24        SwissSign Silver CA - G2                                                                be6c4da2bbb9ba59b6f3939...
26       T cacert.pem_25        GeoTrust Primary Certif...                                                              37d51006c512eaab626421f...
27       T cacert.pem_26        thawte Primary Root CA                                                                  8d722f81a9c113c0791df13...
28       T cacert.pem_27        VeriSign Class 3 Public...                                                              9acfab7e43c8d880d06b262...
29  L    T cacert.pem_28        SecureTrust CA                                                                          f1c1b50ae5a20dd8030ec9f...
30  L    T cacert.pem_29        Secure Global CA                                                                        4200f5043ac8590ebb527d2...
31  L    T cacert.pem_30        COMODO Certification Au...                                                              0c2cd63df7806fa399ede80...
32  L    T cacert.pem_31        Network Solutions Certi...                                                              15f0ba00a3ac7af3ac884c0...
33       T cacert.pem_32        COMODO ECC Certificatio...                                                              1793927a0614549789adce2...
34       T cacert.pem_33        OISTE WISeKey Global Ro...                                                              41c923866ab4cad6b7ad578...
35       T cacert.pem_34        Certigna                                                                                e3b6a2db2ed7ce48842f7ac...
36  L    T cacert.pem_35        Cybertrust Global Root                                                                  960adf0063e96356750c296...
37       T cacert.pem_36                                                                                                c0a6f4dc63a24bfdcf54ef2...
38       T cacert.pem_37                                                                                                eaa962c4fa4a6bafebe4151...
39       T cacert.pem_38        GeoTrust Primary Certif...                                                              b478b812250df878635c2aa...
40       T cacert.pem_39        thawte Primary Root CA ...                                                              a4310d50af18a6447190372...
41       T cacert.pem_40        thawte Primary Root CA ...                                                              4b03f45807ad70f21bfc2ca...
42       T cacert.pem_41        GeoTrust Primary Certif...                                                              5edb7ac43b82a06a8761e8d...
43       T cacert.pem_42        VeriSign Universal Root...                                                              2399561127a57125de8cefe...
44       T cacert.pem_43        VeriSign Class 3 Public...                                                              69ddd7ea90bb57c93e135dc...
45       T cacert.pem_44                                                                                                6c61dac3a2def031506be03...
46      ET cacert.pem_45        Staat der Nederlanden R...                                                              668c83947da63b724bece17...
47       T cacert.pem_46        Hongkong Post Root CA 1                                                                 f9e67d336c51002ac054c63...
48       T cacert.pem_47        SecureSign RootCA11                                                                     bf0feefb9e3a581ad5f9e9d...
49       T cacert.pem_48        Microsec e-Szigno Root ... email:info@e-szigno.hu                                       3c5f81fea5fab82c64bfa2e...
50       T cacert.pem_49        GlobalSign                                                                              cbb522d7b7f127ad6a01138...
51       T cacert.pem_50        Autoridad de Certificac...                                                              04048028bf1f2864d48f9ad...
52       T cacert.pem_51        Izenpe.com                 email:info@izenpe.com                                        2530cc8e98321502bad96f9...
53       T cacert.pem_52        Chambers of Commerce Ro...                                                              063e4afac491dfd332f3089...
54       T cacert.pem_53        Global Chambersign Root...                                                              136335439334a7698016a0d...
55       T cacert.pem_54        Go Daddy Root Certifica...                                                              45140b3247eb9cc8c5b4f0d...
56       T cacert.pem_55        Starfield Root Certific...                                                              2ce1cb0bf9d2f9e102993fb...
57       T cacert.pem_56        Starfield Services Root...                                                              568d6905a2c88708a4b3025...
58       T cacert.pem_57        AffirmTrust Commercial                                                                  0376ab1d54c5f9803ce4b2e...
59       T cacert.pem_58        AffirmTrust Networking                                                                  0a81ec5a929777f145904af...
60       T cacert.pem_59        AffirmTrust Premium                                                                     70a73f7f376b60074248904...
61       T cacert.pem_60        AffirmTrust Premium ECC                                                                 bd71fdf6da97e4cf62d1647...
62       T cacert.pem_61        Certum Trusted Network CA                                                               5c58468d55f58e497e74398...
63       T cacert.pem_62        TWCA Root Certification...                                                              bfd88fe1101c41ae3e801bf...
64       T cacert.pem_63                                                                                                513b2cecb810d4cde5dd853...
65       T cacert.pem_64        EC-ACC                     email:ec_acc@catcert.net                                     88497f01602f3154246ae28...
66       T cacert.pem_65        Hellenic Academic and R...                                                              bc104f15a48be709dca542a...
67       T cacert.pem_66        Actalis Authentication ...                                                              55926084ec963a64b96e2ab...
68       T cacert.pem_67                                                                                                c1b48299aba5208fe9630ac...
69       T cacert.pem_68        Buypass Class 2 Root CA                                                                 9a114025197c5bb95d94e63...
70       T cacert.pem_69        Buypass Class 3 Root CA                                                                 edf7ebbca27a2a384d387b7...
71       T cacert.pem_70        T-TeleSec GlobalRoot Cl...                                                              fd73dad31c644ff1b43bef0...
72       T cacert.pem_71        EE Certification Centre...                                                              3e84ba4342908516e77573c...
73  L    T cacert.pem_72        D-TRUST Root Class 3 CA...                                                              49e7a442acf0ea628705005...
74  L    T cacert.pem_73        D-TRUST Root Class 3 CA...                                                              eec5496b988ce98625b9340...
75       T cacert.pem_74        CA Disig Root R2                                                                        e23d4a036d7b70e9f595b14...
76  L    T cacert.pem_75        ACCVRAIZ1                  email:accv@accv.es                                           9a6ec012e1a7da9dbe34194...
77       T cacert.pem_76        TWCA Global Root CA                                                                     59769007f7685d0fcd50872...
78       T cacert.pem_77        TeliaSonera Root CA v1                                                                  dd6936fe21f8f077c123a1a...
79       T cacert.pem_78        E-Tugra Certification A...                                                              b0bfd52bb0d7d9bd92bf5d4...
80       T cacert.pem_79        T-TeleSec GlobalRoot Cl...                                                              91e2f5788d5810eba7ba587...
81       T cacert.pem_80        Atos TrustedRoot 2011                                                                   f356bea244b7a91eb35d53c...
82       T cacert.pem_81        QuoVadis Root CA 1 G3                                                                   8a866fd1b276b57e578e921...
83       T cacert.pem_82        QuoVadis Root CA 2 G3                                                                   8fe4fb0af93a4d0d67db0be...
84       T cacert.pem_83        QuoVadis Root CA 3 G3                                                                   88ef81de202eb018452e43f...
85       T cacert.pem_84        DigiCert Assured ID Roo...                                                              7d05ebb682339f8c9451ee0...
86       T cacert.pem_85        DigiCert Assured ID Roo...                                                              7e37cb8b4c47090cab36551...
87       T cacert.pem_86        DigiCert Global Root G2                                                                 cb3ccbb76031e5e0138f8dd...
88       T cacert.pem_87        DigiCert Global Root G3                                                                 31ad6648f8104138c738f39...
89       T cacert.pem_88        DigiCert Trusted Root G4                                                                552f7bdcf1a7af9e6ce6720...
90       T cacert.pem_89        COMODO RSA Certificatio...                                                              52f0e1c4e58ec629291b603...
91       T cacert.pem_90        USERTrust RSA Certifica...                                                              e793c9b02fd8aa13e21c312...
92       T cacert.pem_91        USERTrust ECC Certifica...                                                              4ff460d54b9c86dabfbcfc5...
93       T cacert.pem_92        GlobalSign                                                                              bec94911c2955676db6c0a5...
94       T cacert.pem_93        GlobalSign                                                                              179fbc148a3dd00fd24ea13...
95       T cacert.pem_94        Staat der Nederlanden R...                                                              3c4fb0b95ab8b30032f432b...
96       T cacert.pem_95        Staat der Nederlanden E...                                                              4d2491414cfe956746ec4ce...
97       T cacert.pem_96        IdenTrust Commercial Ro...                                                              5d56499be4d2e08bcfcad08...
98       T cacert.pem_97        IdenTrust Public Sector...                                                              30d0895a9a448a262091635...
99       T cacert.pem_98        Entrust Root Certificat...                                                              43df5774b03e7fef5fe40d9...
100       T cacert.pem_99        Entrust Root Certificat...                                                              02ed0eb28c14da45165c566.>
101       T cacert.pem_100       CFCA EV ROOT                                                                            5cc3d78e4e1d5e45547a04e.>
102       T cacert.pem_101       OISTE WISeKey Global Ro...                                                              6b9c08e86eb0f767cfad65c.>
103       T cacert.pem_102       SZAFIR ROOT CA2                                                                         a1339d33281a0b56e557d3d.>
104       T cacert.pem_103       Certum Trusted Network ...                                                              b676f2eddae8775cd36cb0f.>
105       T cacert.pem_104       Hellenic Academic and R...                                                              a040929a02ce53b4acf4f2f.>
106       T cacert.pem_105       Hellenic Academic and R...                                                              44b545aa8a25e65a73ca15d.>
107       T cacert.pem_106       ISRG Root X1                                                                            96bcec06264976f37460779.>
108       T cacert.pem_107                                                                                               ebc5570c29018c4d67b1aa1.>
109       T cacert.pem_108       Amazon Root CA 1                                                                        8ecde6884f3d87b1125ba31.>
110       T cacert.pem_109       Amazon Root CA 2                                                                        1ba5b2aa8c65401a8296011.>
111       T cacert.pem_110       Amazon Root CA 3                                                                        18ce6cfe7bf14e60b2e347b.>
112       T cacert.pem_111       Amazon Root CA 4                                                                        e35d28419ed02025cfa6903.>
113       T cacert.pem_112       LuxTrust Global Root 2                                                                  54455f7129c20b1447c418f.>
114       T cacert.pem_113       TUBITAK Kamu SM SSL Kok...                                                              46edc3689046d53a453fb31.>
115       T cacert.pem_114       GDCA TrustAUTH R5 ROOT                                                                  bfff8fd04433487d6a8aa60.>
116       T cacert.pem_115       TrustCor RootCert CA-1                                                                  d40e9c86cd8fe468c177695.>
117       T cacert.pem_116       TrustCor RootCert CA-2                                                                  0753e940378c1bd5e3836e3.>
118       T cacert.pem_117       TrustCor ECA-1                                                                          5a885db19c01d912c575938.>
119       T cacert.pem_118       SSL.com Root Certificat...                                                              85666a562ee0be5ce925c1d.>
120       T cacert.pem_119       SSL.com Root Certificat...                                                              3417bb06cc6007da1b961c9.>
121       T cacert.pem_120       SSL.com EV Root Certifi...                                                              2e7bf16cc22485a7bbe2aa8.>
122       T cacert.pem_121       SSL.com EV Root Certifi...                                                              22a2c1f7bded704cc1e701b.>
123       T cacert.pem_122       GlobalSign                                                                              2cabeafe37d06ca22aba739.>
124       T cacert.pem_123       OISTE WISeKey Global Ro...                                                              8560f91c3624daba9570b5f.>
125       T cacert.pem_124       GTS Root R1                                                                             2a575471e31340bc21581cb.>
126       T cacert.pem_125       GTS Root R2                                                                             c45d7bb08e6d67e62e42351.>
127       T cacert.pem_126       GTS Root R3                                                                             15d5b8774619ea7d54ce1ca.>
128       T cacert.pem_127       GTS Root R4                                                                             71cca5391f9e794b0480253.>
129       T cacert.pem_128       UCA Global G2 Root                                                                      9bea11c976fe014764c1be5.>
130       T cacert.pem_129       UCA Extended Validation...                                                              d43af9b35473755c9684fc0.>
131  L    T cacert.pem_130       Certigna Root CA                                                                        d48d3d23eedb50a459e5519.>
132       T cacert.pem_131       emSign Root CA - G1                                                                     40f6af0346a99aa1cd1d555.>
133       T cacert.pem_132       emSign ECC Root CA - G3                                                                 86a1ecba089c4a8d3bbe273.>
134       T cacert.pem_133       emSign Root CA - C1                                                                     125609aa301da0a249b97a8.>
135       T cacert.pem_134       emSign ECC Root CA - C3                                                                 bc4d809b15189d78db3e1d8.>
136       T cacert.pem_135       Hongkong Post Root CA 3                                                                 5a2fc03f0c83b090bbfa406.>
137       T cacert.pem_136       Entrust Root Certificat...                                                              db3517d1f6732a2d5ab97c5.>
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
sindy
Forum Guru
Forum Guru
Posts: 6334
Joined: Mon Dec 04, 2017 9:19 pm

Re: DNS over HTTPS

Wed Jun 10, 2020 11:28 am

Open https://dns.google/dns-query in a browser. You'll get a 400 Bad Request, but that doesn't matter, there will be the padlock icon next to the url, click it and get to the certificate details to see the root CA certificate which signs the server one (the exact steps depend on browser).

The above is only true unless you have a spyware (antivirus) installed on your PC, which performs MITM attacks to all TLS traffic so that it could inspect the contents you download for malware.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1842
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: DNS over HTTPS

Wed Jun 10, 2020 11:45 am

Trail and error gave me the second certificate installed is the only needed one.
Name: cacert.pem_1
Issuer: OU=GlobalSign Root CA - R2,O=GlobalSign,CN=GlobalSign
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
frank333
Member Candidate
Member Candidate
Posts: 163
Joined: Mon Dec 18, 2017 12:17 pm
Location: italy Router model: RB3011UiAS-RM

Re: DNS over HTTPS

Wed Jun 10, 2020 12:55 pm

I'm using the script and it works well, I've imported global certificates and tested several DoH servers but you always get an error as a response.
I set the scheduling every minute and had the results written on an external sacrificial MMC card, not to fry the tik flash.
 
sindy
Forum Guru
Forum Guru
Posts: 6334
Joined: Mon Dec 04, 2017 9:19 pm

Re: DNS over HTTPS

Wed Jun 10, 2020 1:03 pm

When mentioning frying the flash, I had in mind the basic 6.47 which some users reports to generate thousands of sector writes without an apparent reason, not writing the fetched file to a flash - on my SOHO devices, files are stored in RAM unless you explicitly place them to flash.

I don't understand what you mean by "works well" and "you always get an error" in the same sentence, can you elaborate?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Urajmal
just joined
Posts: 10
Joined: Thu Jul 26, 2018 6:23 pm

Re: DNS over HTTPS

Wed Jun 10, 2020 2:11 pm

For those who have DoH configured with CloudFlare, does first test ""Secure DNS" shows to you as a green?

https://www.cloudflare.com/ssl/encrypted-sni/

Thanks
 
User avatar
frank333
Member Candidate
Member Candidate
Posts: 163
Joined: Mon Dec 18, 2017 12:17 pm
Location: italy Router model: RB3011UiAS-RM

Re: DNS over HTTPS

Wed Jun 10, 2020 2:15 pm

I thought the result file was written on mikrotik's hdd, so I moved it to the external MMC.
Schermata del 2020-06-10 12.54.41.png
The script always populates the mikrotik DNS cache even when the DOH cloudflare fails.
For the query response errors I thought about this .
Schermata del 2020-06-10 13.00.40.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1098
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: DNS over HTTPS

Wed Jun 10, 2020 2:52 pm

For those who have DoH configured with CloudFlare, does first test ""Secure DNS" shows to you as a green?

https://www.cloudflare.com/ssl/encrypted-sni/

Thanks
Yes.
 
Urajmal
just joined
Posts: 10
Joined: Thu Jul 26, 2018 6:23 pm

Re: DNS over HTTPS

Wed Jun 10, 2020 3:26 pm

For those who have DoH configured with CloudFlare, does first test ""Secure DNS" shows to you as a green?

https://www.cloudflare.com/ssl/encrypted-sni/

Thanks
Yes.
Have problem with that, I followed the nromis manuals, and I am unable to get First test green. Any recommendations? What should I have in DNS - Static, what should I have DHCP Server - Networks - DNS Servers?
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1098
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: DNS over HTTPS

Wed Jun 10, 2020 3:49 pm

What should I have in DNS - Static
Nothing if you use https://1.1.1.1/dns-query as DoH Server.

Or /ip dns static add address=1.1.1.1 name=cloudflare-dns.com
if you use https://cloudflare-dns.com/dns-query

what should I have DHCP Server - Networks - DNS Servers?
Your router's IP

Also make sure, that you don't have any dynamic servers.
 
User avatar
frank333
Member Candidate
Member Candidate
Posts: 163
Joined: Mon Dec 18, 2017 12:17 pm
Location: italy Router model: RB3011UiAS-RM

Re: DNS over HTTPS

Wed Jun 10, 2020 4:02 pm

on linux to control the dns i do this, reboot the connection and control with nmcli device show myinterface | grep IP4
 
Urajmal
just joined
Posts: 10
Joined: Thu Jul 26, 2018 6:23 pm

Re: DNS over HTTPS

Thu Jun 11, 2020 12:15 am

What should I have in DNS - Static
Nothing if you use https://1.1.1.1/dns-query as DoH Server.

Or /ip dns static add address=1.1.1.1 name=cloudflare-dns.com
if you use https://cloudflare-dns.com/dns-query

what should I have DHCP Server - Networks - DNS Servers?
Your router's IP

Also make sure, that you don't have any dynamic servers.


Thanks! Have been tried all sorts of combinations. I am unable to get "Secure DNS" to green.
Will be following this thread to see if there are any with the same situation.

And will be try to configure on brand new RB4011.
 
Pea
Member Candidate
Member Candidate
Posts: 228
Joined: Fri Jul 17, 2015 11:07 pm
Location: Czech

Re: DNS over HTTPS

Thu Jun 11, 2020 12:34 am

Is your client really using your router as DNS?
 
hendra
newbie
Posts: 33
Joined: Wed Nov 22, 2017 2:21 am

Re: DNS over HTTPS

Thu Jun 11, 2020 3:22 am

can you ping the DoH server?
maybe this is the problem.
or maybe my router is to old :D lol
the cpu gets down when i disable the nat for transparent dns.
and what is the meaning of this warning logs ?
may/27 01:04:34 dns,warning DoH max concurrent queries reached, ignoring query 
dns,error DoH server connection error: remote disconnected while in HTTP exchange

any solution ?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1842
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: DNS over HTTPS

Thu Jun 11, 2020 8:13 am

For those who have DoH configured with CloudFlare, does first test ""Secure DNS" shows to you as a green?

https://www.cloudflare.com/ssl/encrypted-sni/

Thanks
Yes.

You need the certificate, check by type: /certificate print detail
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted 
 0       T name="DigiCertGlobalRootCA.crt.pem_0" issuer=C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert Global Root CA digest-algorithm=sha1 
           key-type=rsa country="US" organization="DigiCert Inc" unit="www.digicert.com" common-name="DigiCert Global Root CA" key-size=2048 
           subject-alt-name="" days-valid=9131 trusted=yes key-usage=digital-signature,key-cert-sign,crl-sign 
           serial-number="083BE056904246B1A1756AC95991C74A" fingerprint="4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161" 
           akid=03de503556d14cbb66f0a3e21b1bc397b23dd155 skid=03de503556d14cbb66f0a3e21b1bc397b23dd155 invalid-before=nov/10/2006 02:00:00 
           invalid-after=nov/10/2031 02:00:00 expires-after=595w3d18h49m37s 
Then set the DNS on your router to:
/ip dns set servers="" use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
DCHP should point DNS to your router. So on your PC ipconfig /all
DNS Servers . . . . . . . . . . . : 192.168.88.1
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
mozerd
Member
Member
Posts: 476
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: DNS over HTTPS

Thu Jun 11, 2020 8:54 pm

None of my Apple gear works when DoH is enabled .... All apple gear is wireless ..... all windows gear works with DoH.
I have not determined why the Apple Gear is not working with DoH .... will do that on another day ...
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1842
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: DNS over HTTPS

Thu Jun 11, 2020 10:51 pm

Maybe that apple use a fixed IP like Chrome cast use 8.8.8.8 and not the DNS it gets from the DHCP.
This can be fixed by redirect all request to port 53 to your DNS server. Then Chrome Cast and other stupid devices that does not follow normal regulation will still work.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
frank333
Member Candidate
Member Candidate
Posts: 163
Joined: Mon Dec 18, 2017 12:17 pm
Location: italy Router model: RB3011UiAS-RM

Re: DNS over HTTPS

Fri Jun 12, 2020 12:28 am

so ?
/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=53 protocol=tcp dst-port=53
add chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=53 protocol=udp dst-port=53 
put in front of all the rules ?
192.168.88.1 is ip of router mikrotik
 
hendra
newbie
Posts: 33
Joined: Wed Nov 22, 2017 2:21 am

Re: DNS over HTTPS

Fri Jun 12, 2020 10:56 pm

sometimes after a few hours i got this log " DoH server conncetion error iddle timeout" any clue for this ?
You do not have the required permissions to view the files attached to this post.
 
msatter
Forum Guru
Forum Guru
Posts: 1984
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Fri Jun 12, 2020 11:17 pm

I don't know but have a look at the first posting in this thread.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.48beta58 / Winbox 3.27 64bits / MikroTik APP 1.3.15
 
Lebzul
Member Candidate
Member Candidate
Posts: 103
Joined: Wed Feb 21, 2018 12:54 am

Re: DNS over HTTPS

Sat Jun 13, 2020 4:18 pm

Is it normal to have lots of RAM consumption by using this?
 
hendra
newbie
Posts: 33
Joined: Wed Nov 22, 2017 2:21 am

Re: DNS over HTTPS

Sun Jun 14, 2020 4:20 am

any clue for this "DoH Server connection error : ssl handshake timeout" ?
 
slimprize
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Thu Aug 09, 2012 2:43 am

Re: DNS over HTTPS

Sun Jun 14, 2020 8:40 am

Hi all,
Does anyone know the URL to download the certificate for opendns? I am getting dns resolution errors.
I tried
https://support.opendns.com/hc/en-us/ar ... evelopers-
No go though the certificate was imported successfully.
 
User avatar
frank333
Member Candidate
Member Candidate
Posts: 163
Joined: Mon Dec 18, 2017 12:17 pm
Location: italy Router model: RB3011UiAS-RM

Re: DNS over HTTPS

Sun Jun 14, 2020 9:40 am

slimprize.
that's what I do . in the PEM download section.
Schermata del 2020-06-14 08.31.14.png
You do not have the required permissions to view the files attached to this post.
 
msatter
Forum Guru
Forum Guru
Posts: 1984
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Sun Jun 14, 2020 11:53 am

You click.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.48beta58 / Winbox 3.27 64bits / MikroTik APP 1.3.15
 
User avatar
mozerd
Member
Member
Posts: 476
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: DNS over HTTPS

Sun Jun 14, 2020 2:12 pm

Not sure why Mikrotik never implimeneted DoT and went for DoH. Routers are tools to implement and include to network designs. It makes absolutely no sense to pick DoH over DoT in routers. Leave DoH for the browsers :)
@BlackFate
Leave DoH for the browsers is 100% on the mark !
 
User avatar
mozerd
Member
Member
Posts: 476
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: DNS over HTTPS

Sun Jun 14, 2020 2:19 pm

Maybe that apple use a fixed IP like Chrome cast use 8.8.8.8 and not the DNS it gets from the DHCP.
This can be fixed by redirect all request to port 53 to your DNS server. Then Chrome Cast and other stupid devices that does not follow normal regulation will still work.
@Jotne
All my Apple devices use DHCP and get their DNS from 'either' based on appropriateness. Safari just hangs. Chrome is fine.
I'll just forget DoH on the Router and use DoH enabled on the Chromium Browser -- works great.
 
slimprize
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Thu Aug 09, 2012 2:43 am

Re: DNS over HTTPS

Sun Jun 14, 2020 5:20 pm

slimprize.
that's what I do . in the PEM download section.
Schermata del 2020-06-14 08.31.14.png
PL] frank333, your screen shot is not clear. Could you please describe the procedure from the commandline interface? Do all certificates need to be in pem format? I seemed to have imported the one correctly from opendns.

[pranav1@ConShield] /certificate> print
Flags: K - private-key, L - crl, C - smart-card-key, A - authority,
I - issued, R - revoked, E - expired, T - trusted
# NAME COM.. SUBJECT-ALT-NAME FIN..
0 T Cis.. Cis.. 203..

Pranav
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24756
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Mon Jun 15, 2020 8:21 am

Not sure why Mikrotik never implimeneted DoT and went for DoH. Routers are tools to implement and include to network designs. It makes absolutely no sense to pick DoH over DoT in routers. Leave DoH for the browsers :)
@BlackFate
Leave DoH for the browsers is 100% on the mark !
Not all internet traffic is from the browser. Not all devices have browsers.
No answer to your question? How to write posts
 
msatter
Forum Guru
Forum Guru
Posts: 1984
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Mon Jun 15, 2020 10:25 am

Not sure why Mikrotik never implimeneted DoT and went for DoH. Routers are tools to implement and include to network designs. It makes absolutely no sense to pick DoH over DoT in routers. Leave DoH for the browsers :)
@BlackFate
Leave DoH for the browsers is 100% on the mark !
Not all internet traffic is from the browser. Not all devices have browsers.
Then why is TCP port 443 used and not a specific port for this kind of traffic? DoT is using TCP/853 and can be blocked without having to bring long lists of addresses to block.

DoH is a aggressive way of resolving and not at home in network that is administered in a normal way. And should be used in situation where a normal network administration is not present.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.48beta58 / Winbox 3.27 64bits / MikroTik APP 1.3.15
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24756
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Mon Jun 15, 2020 10:54 am

Exactly!
DoH can be used in countries where governments enforce filtering of news and such. This is why it's popular, I guess.
No answer to your question? How to write posts
 
User avatar
frank333
Member Candidate
Member Candidate
Posts: 163
Joined: Mon Dec 18, 2017 12:17 pm
Location: italy Router model: RB3011UiAS-RM

Re: DNS over HTTPS

Mon Jun 15, 2020 11:08 am

In my opinion, doh is the first example of how much mikrotik cares about the safety of its users and other initiatives in this direction are welcome.
The only thing I can reproach are the problems I had using the firmware 6.47 and the lack of possibility to use other dns besides cloudflare.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24756
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Mon Jun 15, 2020 11:10 am

You can use any DoH service, not just Cloudflare. You can use Google or others. There is a list of public DoH servers you can use:
https://dnsprivacy.org/wiki/display/DP/ ... +Resolvers
No answer to your question? How to write posts
 
User avatar
frank333
Member Candidate
Member Candidate
Posts: 163
Joined: Mon Dec 18, 2017 12:17 pm
Location: italy Router model: RB3011UiAS-RM

Re: DNS over HTTPS

Mon Jun 15, 2020 11:18 am

yes normis, I wanted to say this that I tried, but in addition to having problems with continuous writing on the nand with v6.47 I still can not enable the verification of certificates in addition to that of cloudflare, also can not yet enter a second doh server that acts as failover.
 
msatter
Forum Guru
Forum Guru
Posts: 1984
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Mon Jun 15, 2020 11:47 am

Exactly!
DoH can be used in countries where governments enforce filtering of news and such. This is why it's popular, I guess.
Is Latvia such a country?

The popularity is due to indoctrination by the big firms wanting to follow you where ever you go. You always sent your IP address with your request.

The opposite of what want you to archieve is happening here. See it as the Facebook pixel or hidden script on all the sites for a long time. You told Facebook which sites you visited.

It belongs in browsers and not in routers or other network devices.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.48beta58 / Winbox 3.27 64bits / MikroTik APP 1.3.15
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24756
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Mon Jun 15, 2020 11:58 am

Latvia is not such a country, but these requests come from such countries.
Don't mix other topics into this. One doesn't have to be a FB user to want DoH. People still want to read News, but some places deny this access. Such user can set up DoH in his home router and not worry about somebody intercepting DNS requests for browsing or any other internet traffic.
No answer to your question? How to write posts
 
msatter
Forum Guru
Forum Guru
Posts: 1984
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Mon Jun 15, 2020 1:56 pm

I did not mixed things, I compared to it.

"See it as the Facebook pixel...."
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.48beta58 / Winbox 3.27 64bits / MikroTik APP 1.3.15
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24756
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Mon Jun 15, 2020 1:57 pm

There is no relation. You can set your router to forward all traffic to your OWN DNS over HTTPs server in another country.
No answer to your question? How to write posts
 
msatter
Forum Guru
Forum Guru
Posts: 1984
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Mon Jun 15, 2020 3:23 pm

Yes you can, but how many will do that!?
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.48beta58 / Winbox 3.27 64bits / MikroTik APP 1.3.15
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24756
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Mon Jun 15, 2020 3:25 pm

Look at the crazy amount of questions on this forum. DoH is really popular. A lot of regimes nowadays filter content. People started to use 8.8.8.8 as DNS, but that got blocked. So now people ask for DoH. This is what it's for basically.

I will not get political. We just make what users ask for (sometimes).
No answer to your question? How to write posts
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: DNS over HTTPS

Mon Jun 15, 2020 4:40 pm

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""
Does this work for ipv6?
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 724
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: DNS over HTTPS

Mon Jun 15, 2020 4:44 pm

Does this work for ipv6?
You could try this address:

https://[2606:4700:4700::1111]/dns-query

But others reported it does not. Have not tried it myself.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
msatter
Forum Guru
Forum Guru
Posts: 1984
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Mon Jun 15, 2020 6:21 pm

Look at the crazy amount of questions on this forum. DoH is really popular. A lot of regimes nowadays filter content. People started to use 8.8.8.8 as DNS, but that got blocked. So now people ask for DoH. This is what it's for basically.

I will not get political. We just make what users ask for (sometimes).
And so it came full circle.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.48beta58 / Winbox 3.27 64bits / MikroTik APP 1.3.15
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: DNS over HTTPS

Tue Jun 16, 2020 7:46 am

sometimes after a few hours i got this log " DoH server conncetion error iddle timeout" any clue for this ?
Same issue, I usually just ignore it as DNS seems to work fine.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
shunkica
just joined
Posts: 22
Joined: Sat Mar 03, 2018 2:19 pm

Re: DNS over HTTPS

Wed Jun 17, 2020 9:56 am

DoH is not only for countries with content filtering...
All governments do surveillance on their citizens, and your ISP could be selling your data as well.
And when it comes to it, I would rather Cloudflare have my data than my shitty government/ISP.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1842
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: DNS over HTTPS

Wed Jun 17, 2020 10:05 am

And when it comes to it, I would rather Cloudflare have my data than my shitty government/ISP.
Maybe that the people here that do no like DoH DoT are ISP them self ;)
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
inteq
Member Candidate
Member Candidate
Posts: 261
Joined: Wed Feb 25, 2015 8:15 pm
Location: Romania

Re: DNS over HTTPS

Wed Jun 17, 2020 10:14 am

In my opinion, doh is the first example of how much mikrotik cares about the safety of its users and other initiatives in this direction are welcome.
Don't be fooled into thinking DoH provides any "safety" for users.
I mean don't do stupid stuff online just because you have DoH enabled then act surprised when caught.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24756
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Wed Jun 17, 2020 10:23 am

DoH just moves your concerns from the ISP/Government to the DoH service provider. It all just depends on who you trust more.
No answer to your question? How to write posts
 
msatter
Forum Guru
Forum Guru
Posts: 1984
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Wed Jun 17, 2020 10:51 am

And when it comes to it, I would rather Cloudflare have my data than my shitty government/ISP.
Maybe that the people here that do no like DoH DoT are ISP them self ;)
Why should DoT be wrong? As an ISP or as concerned parents of a family you can enforce not using DoT.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.48beta58 / Winbox 3.27 64bits / MikroTik APP 1.3.15
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24756
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Wed Jun 17, 2020 11:01 am

I just hope you can try and see the other side of the coin. It was discussed enough times above. There are many reasons not to trust the ISP.
No answer to your question? How to write posts
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1842
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: DNS over HTTPS

Wed Jun 17, 2020 11:02 am

DoH just moves your concerns from the ISP/Government to the DoH service provider. It all just depends on who you trust more.
Its a huge difference. I can choose between someone I know and some I do not know. How many can see my DNS request, I do not now, but with DoH I have some clue.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24756
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Wed Jun 17, 2020 11:06 am

Like I already said, you can set up your own DOH server in a trusted country with a trusted ISP and then configure DOH client in the country where you don't feel safe.
No answer to your question? How to write posts
 
msatter
Forum Guru
Forum Guru
Posts: 1984
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Wed Jun 17, 2020 12:06 pm

I just hope you can try and see the other side of the coin. It was discussed enough times above. There are many reasons not to trust the ISP.
There are also many reasons to not trust anyone with your private data.

That is why I do it myself and ask the authorative directly. The Dutch government does not like it when you do that through a VPN provider. I have to use the DoT server of my ISP for those specific domains.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.48beta58 / Winbox 3.27 64bits / MikroTik APP 1.3.15
 
slimprize
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Thu Aug 09, 2012 2:43 am

Re: DNS over HTTPS

Wed Jun 17, 2020 4:13 pm

Hi all,

Has anyone gotten opendns's doh server to work?

As I said above I tried but was getting resolution errors despite importing the certificate.
 
Sob
Forum Guru
Forum Guru
Posts: 6303
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS over HTTPS

Wed Jun 17, 2020 5:10 pm

Sure. Quick and simple (and unsecure *) way:
/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
/certificate import file-name=DigiCertGlobalRootCA.crt.pem
/ip dns set use-doh-server=https://doh.opendns.com/dns-query verify-doh-cert=yes
(*) The problem is that fetch does not verify certificate, and even though there is an option for it, it won't work when there's no root certificate on router. Chicken and egg problem. So better download the file using browser and upload it to router.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
slimprize
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Thu Aug 09, 2012 2:43 am

Re: DNS over HTTPS

Thu Jun 18, 2020 4:40 am

@Sob,
Many many thanks. I have DNS over https working. Website lookups are slow so I am not sure if I will keep this configuration. I want to though so lets see.

Pranav
 
User avatar
frank333
Member Candidate
Member Candidate
Posts: 163
Joined: Mon Dec 18, 2017 12:17 pm
Location: italy Router model: RB3011UiAS-RM

Re: DNS over HTTPS

Thu Jun 18, 2020 11:13 am

slimprice,
cloudflare has the fastest dns, then there is google, and all the other .Open dns here at my place is very slow.
 
kd2pm2
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Wed Nov 14, 2012 7:14 am
Location: New Jersey, USA

Re: DNS over HTTPS

Fri Jun 19, 2020 5:35 pm

Anyone else getting this? Seems that if its time to get an updated cert file...it cant. Its a chicken/egg scenario where it cant get the info to do the fetch to update the cert. Easy fix is to just add in another dns entry like 1.1.1.1 and immediately DNS query works, it grabs does the fetch and then all is good. I can take out the 1.1.1.1 until once again it gets caught in the loop trying to query but it cant...


dns error.jpg
You do not have the required permissions to view the files attached to this post.
Ed in NJ-USA
RB2011 / RB4011 / RB260GS / RB750
 
hendra
newbie
Posts: 33
Joined: Wed Nov 22, 2017 2:21 am

Re: DNS over HTTPS

Fri Jun 19, 2020 5:38 pm

Anyone else getting this? Seems that if its time to get an updated cert file...it cant. Its a chicken/egg scenario where it cant get the info to do the fetch to update the cert. Easy fix is to just add in another dns entry like 1.1.1.1 and immediately DNS query works, it grabs does the fetch and then all is good. I can take out the 1.1.1.1 until once again it gets caught in the loop trying to query but it cant...



dns error.jpg
how to solve this ?
 
User avatar
frank333
Member Candidate
Member Candidate
Posts: 163
Joined: Mon Dec 18, 2017 12:17 pm
Location: italy Router model: RB3011UiAS-RM

Re: DNS over HTTPS

Fri Jun 19, 2020 6:06 pm

try to follow this holy man's guidance,
https://jcutrer.com/howto/networking/mi ... over-https
 
msatter
Forum Guru
Forum Guru
Posts: 1984
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Fri Jun 19, 2020 8:08 pm

In the Holy book you see, Normis, only Google and Cloudflace is being mentioned.

As I predicted.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.48beta58 / Winbox 3.27 64bits / MikroTik APP 1.3.15
 
kd2pm2
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Wed Nov 14, 2012 7:14 am
Location: New Jersey, USA

Re: DNS over HTTPS

Fri Jun 19, 2020 8:11 pm

try to follow this holy man's guidance,
https://jcutrer.com/howto/networking/mi ... over-https
Seems pretty close to what I have already done. I may have to go back to plan "B" and make the URL 1.1.1.1 instead of cloudflare-dns.com
Ed in NJ-USA
RB2011 / RB4011 / RB260GS / RB750
 
kd2pm2
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Wed Nov 14, 2012 7:14 am
Location: New Jersey, USA

Re: DNS over HTTPS

Fri Jun 19, 2020 10:12 pm

So here is my current DNS config. When I reboot the RB2011 it goes into infinity with handshake failures. Its trying to validate the CRL's but yet, it should already have it in certificates memory as being valid. I suspect that the certificates setting needs to be changed to perhaps not download the CRL or even use the CRL? Also not sure if the CRL store should be RAM or System. In order to fix the problem I did have to add DNS server 1.1.1.1 to my settings .

From what I can tell, a reboot invalidates the CRL's and the router needs to go back out and validate all of them. If you do a /system certificates and you check the CRL tab, all of those CRL's are red. So you are stuck until validation takes place and they go black on the screen and then the DNS server will start caching entries.

So I am kinda lost here as to how it really should be set up so that a reboot does not force me to log in manually to add a DNS entry of 1.1.1.1 just to download/validate what I have in my router all the time.
 /ip dns print
                      servers: 
              dynamic-servers: 
               use-doh-server: https://1.1.1.2/dns-query
              verify-doh-cert: yes
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 500
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 3d
                   cache-used: 30KiB
dns_error_2.jpg
Above shows the errors immediately after the RB2011 reboot

dns_error_3.jpg
Above shows the updates to the files once I add DNS 1.1.1.1 as a server.
You do not have the required permissions to view the files attached to this post.
Ed in NJ-USA
RB2011 / RB4011 / RB260GS / RB750
 
Pea
Member Candidate
Member Candidate
Posts: 228
Joined: Fri Jul 17, 2015 11:07 pm
Location: Czech

Re: DNS over HTTPS

Fri Jun 19, 2020 10:35 pm

remove all those certificates and use just this one:
/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=””
 
kd2pm2
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Wed Nov 14, 2012 7:14 am
Location: New Jersey, USA

Re: DNS over HTTPS

Fri Jun 19, 2020 10:49 pm

remove all those certificates and use just this one:
/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=””
I did and there is no CRL and I am still logging the same DNS error

DoH server connection error: SSL: handshake failed: unable to get certificate CRL (6)
Ed in NJ-USA
RB2011 / RB4011 / RB260GS / RB750
 
kd2pm2
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Wed Nov 14, 2012 7:14 am
Location: New Jersey, USA

Re: DNS over HTTPS

Fri Jun 19, 2020 10:51 pm

I believe I have to go back and get the PEM file for Cloudflare-DNS and load that back in as well...I believe one cant work without the other
Ed in NJ-USA
RB2011 / RB4011 / RB260GS / RB750
 
kd2pm2
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Wed Nov 14, 2012 7:14 am
Location: New Jersey, USA

Re: DNS over HTTPS

Fri Jun 19, 2020 11:10 pm

I believe I have to go back and get the PEM file for Cloudflare-DNS and load that back in as well...I believe one cant work without the other
So its definitely an issue on a reboot that if you dont have a standard DNS server like 1.1.1.1 assigned as well as the DOH server....the DOH cannot and will not allow itself to validate the CRL's and thus it has to use the 1.1.1.1 to get those downloaded and then the DOH appears to be happy.

It also appears to me that you do need the cloudflare-dns.com and DigiCert Global Root CA certs for things to behave...if not, it continues to log DOH server errors.
Ed in NJ-USA
RB2011 / RB4011 / RB260GS / RB750
 
User avatar
floaty
Member Candidate
Member Candidate
Posts: 253
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: DNS over HTTPS

Sat Jun 20, 2020 12:45 am

.
I think it's not possible to use google DoH without DNS name in url. Or do you have a working one with ip address?
.
same experience here:
using the avail v4 adresses gives warnings (maybe a google by-the-side-sausage ??)
... seems there's loadbalancing inbetween, which is fetching "dns.google" [or any of the alternate names ... because the pure ip servers do NOT]
.
question: what would be issue with local static translation ?
.
## update ##... dns64.dns.google is not working ... guess thats for v6
.
[admin@tikki] > ping www.cisco.com
invalid value for argument address:
    invalid value of mac-address, mac address required
    invalid value for argument ipv6-address
    while resolving ip-address: could not get answer from dns server
                                                                      (1 messages discarded)
23:29:09 echo: dns,warning <html lang=en>
23:29:09 echo: dns,warning   <meta charset=utf-8>
23:29:09 echo: dns,warning   <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
23:29:09 echo: dns,warning   <title>Error 404 (Not Found)!!1</title>
23:29:09 echo: dns,warning   <style>
23:29:09 echo: dns,warning     *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:
180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-
decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/g
ooglelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/go
oglelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:u
23:29:09 echo: dns,warning rl(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:ur
l(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
23:29:09 echo: dns,warning   </style>
23:29:09 echo: dns,warning   <a href=//www.google.com/><span id=logo aria-label=Google></span></a>
23:29:09 echo: dns,warning   <p><b>404.</b> <ins>That\E2\80\99s an error.</ins>
23:29:09 echo: dns,warning   <p>The requested URL <code>/dns-query</code> was not found on this server.  <ins>That\E2\80\99s all we know.</ins>
23:29:09 echo: dns,warning
[admin@tikki] > 
.
ggl.PNG
You do not have the required permissions to view the files attached to this post.
~~
We know what happens to people who stay in the middle of the road. They get run over.
 
msatter
Forum Guru
Forum Guru
Posts: 1984
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Sat Jun 20, 2020 3:13 am

dns64.dns.google can't be resolved to a IP address:
;; AUTHORITY SECTION:
dns.google.             48      IN      SOA     ns1.zdns.google. dns-admin.google.com. 2684358593 21600 3600 1209600 300
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.48beta58 / Winbox 3.27 64bits / MikroTik APP 1.3.15
 
User avatar
floaty
Member Candidate
Member Candidate
Posts: 253
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: DNS over HTTPS

Sat Jun 20, 2020 12:35 pm

.
not v4 ... right
.
foo@pike:~# dig -x 2001:4860:4860::64

; <<>> DiG 9.10.3-P4-Debian <<>> -x 2001:4860:4860::64
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35978
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;4.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.8.4.0.6.8.4.1.0.0.2.ip6.arpa. IN PTR

;; ANSWER SECTION:
4.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.8.4.0.6.8.4.1.0.0.2.ip6.arpa. 21598 IN PTR dns64.dns.google.

;; Query time: 43 msec
;; SERVER: 192.168.100.10#53(192.168.100.10)
;; WHEN: Sat Jun 20 11:32:24 CEST 2020
;; MSG SIZE  rcvd: 131

foo@pike:~# 
~~
We know what happens to people who stay in the middle of the road. They get run over.
 
Flextro
just joined
Posts: 1
Joined: Wed May 02, 2018 3:31 pm

Re: DNS over HTTPS

Sun Jun 21, 2020 12:27 pm

I'm using DoH with 1.1.1.1 server and RB3011 with ROS 6.47 about a week.
Since this morning i have problem with 1.1.1.1:
I got only "12:15:40 dns,error DoH server connection error: SSL: internal error (6)" message. I try'd 9.9.9.9 and it's works fine (still)
Don't know: this is issue with my ISP, CF or Mikrotik
RB3011 and hAP ac
 
capy2008
just joined
Posts: 1
Joined: Sun Jun 21, 2020 8:14 pm

Re: DNS over HTTPS

Sun Jun 21, 2020 8:16 pm

I get this error. Anybody have any idea how I fix it?
/tool fetch url="https://curl.haxx.se/ca/cacert.pem"
failure: unable to resolve hostname

I fix it but i unable to make doh work. I still see isp dns in torch.
Last edited by capy2008 on Sun Jun 21, 2020 9:09 pm, edited 2 times in total.
 
User avatar
lysakov
just joined
Posts: 1
Joined: Mon Jun 22, 2020 8:32 pm
Location: Russia
Contact:

Re: DNS over HTTPS

Mon Jun 22, 2020 8:57 pm

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""
I used this manual for configuring DoH on my hAP AC^2.
It worked until yesterday. Now i have this error "DoH server connection error: SSL: internal error (6)"
Image
Anyone have idea what's happened? O_o

I have found temporary solution:
/ip dns static add name=dns.google address=8.8.8.8
/ip dns static add name=dns.google address=8.8.4.4

And use https://dns.google/dns-query as DoH server.
Last edited by lysakov on Mon Jun 22, 2020 9:35 pm, edited 1 time in total.
 
User avatar
MEJAKUmputer
just joined
Posts: 2
Joined: Wed Jul 15, 2020 2:18 pm
Location: Indonesia

Re: DNS over HTTPS

Wed Jul 15, 2020 2:33 pm

My DoH setting
/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
/certificate import file-name=cacert.pem passphrase=””
/ip dns set servers=""
/ip dns set use-doh-server=https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes

/ip firewall filter
add action=accept chain=input src-port=443 protocol=tcp src-address-list=Cloudflare-DNS
add action=accept chain=input dst-port=53 in-interface=!ether1-wan protocol=udp
add action=drop chain=input

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=53 in-interface=ether2-lan protocol=tcp to-addresses=192.168.68.1 to-ports=53
I added 2 static DNS entries for family.cloudflare-dns.com to address: 104.18.209.237 and 104.18.210.237.
Also added 104.18.209.237 and 104.18.210.237 to address list named Cloudflare-DNS
And 192.168.68.1 is gateway for Ether 2

Everything works well, but did i miss something in my settings? I need your opinion.
 
DarkNate
Member Candidate
Member Candidate
Posts: 203
Joined: Fri Jun 26, 2020 4:37 pm

Re: DNS over HTTPS

Thu Jul 16, 2020 4:26 pm

What ports does RouterOS use for DoH?

Stricly TCP 443 only?

Seems in some cases port 53, 853 is used: https://en.wikipedia.org/wiki/DNS_over_ ... _scenarios
 
proximus
Member Candidate
Member Candidate
Posts: 114
Joined: Tue Oct 04, 2011 1:46 pm

Re: DNS over HTTPS

Fri Jul 17, 2020 12:26 am

I added 2 static DNS entries for family.cloudflare-dns.com to address: 104.18.209.237 and 104.18.210.237.
You would probably be better off using the Anycast addresses 1.1.1.3 and 1.0.0.3. That way, if CF ever changes those specific servers, you won't be out of service.

I use the 1.1.1.2 / 1.0.0.2 security.cloudflare-dns.com static DNS entries and it is fine.
 
User avatar
MEJAKUmputer
just joined
Posts: 2
Joined: Wed Jul 15, 2020 2:18 pm
Location: Indonesia

Re: DNS over HTTPS

Tue Jul 21, 2020 1:59 pm

I added 2 static DNS entries for family.cloudflare-dns.com to address: 104.18.209.237 and 104.18.210.237.
You would probably be better off using the Anycast addresses 1.1.1.3 and 1.0.0.3. That way, if CF ever changes those specific servers, you won't be out of service.

I use the 1.1.1.2 / 1.0.0.2 security.cloudflare-dns.com static DNS entries and it is fine.
What if i just add 1.1.1.3 and 1.0.0.3 as family.cloudflare-dns.com static DNS entries, so i have four static DNS entries for family.cloudflare-dns.com (104.18.209.237, 104.18.210.237, 1.1.1.3, 1.0.0.3)? It's fine?
 
Guscht
newbie
Posts: 27
Joined: Thu Jul 01, 2010 5:32 pm

Re: DNS over HTTPS

Tue Jul 21, 2020 11:57 pm

What ports does RouterOS use for DoH?

Stricly TCP 443 only?

Seems in some cases port 53, 853 is used: https://en.wikipedia.org/wiki/DNS_over_ ... _scenarios
I think you missunderstand the concept. In your LAN, the clients query your edge router as DNS-resolver unencrypted via port 53.
The outgoing DNS query from your router to the public DoH-DNS server is encrypted and sent via port 443.
The public DoH-DNS resolves the query itself unencrypted via port 53 (or via TLS over port 853).

This means DoH is no real end-to-end encryption. But it is a security benefit over all.
So yes, the DoH part uses strictly port 443.
 
arrazib
just joined
Posts: 2
Joined: Mon Jun 22, 2020 11:50 pm

Re: DNS over HTTPS

Thu Jul 30, 2020 9:23 pm

Dear Concern,
I have successfully configured the system. It is showing me Verify that DoH is enabled and working. When I am torching WAN interface it is not showing me 1.1.1.1:443(http) rather showing me 1.1.1.1:53(dns). I dont know why it is happening. Is it any config error? Please let me know what to do if I want to solve the issue.
 
arrazib
just joined
Posts: 2
Joined: Mon Jun 22, 2020 11:50 pm

Re: DNS over HTTPS

Fri Jul 31, 2020 12:02 pm

I have successfully configured the system. It is showing me Verify that DoH is enabled and working. When I am torching WAN interface it is not showing me 1.1.1.1:443(http) rather showing me 1.1.1.1:53(dns). I dont know why it is happening. Is it any config error? Please let me know what to do if I want to solve the issue.
 
vishvas
just joined
Posts: 3
Joined: Thu Oct 28, 2010 2:29 pm

Re: DNS over HTTPS

Tue Aug 11, 2020 7:54 pm

Dear All
has anybody tested IPV6 DNS over HTTPS?
 
DarkNate
Member Candidate
Member Candidate
Posts: 203
Joined: Fri Jun 26, 2020 4:37 pm

Re: DNS over HTTPS

Sun Aug 16, 2020 3:04 pm

@normis

ROS keeps trying to use WAN1 for DoH even though WAN1 is down/disabled and WAN2 is active and reachable. Normal DNS works fine, only DoH keeps trying WAN1 even if the interface itself is manually disabled.

Steps to reproduce the bug
1. ISP 1 with Route distance 1
2. ISP 2 with Route distance 2
3. Disable ISP 1 or turn off the uplink device to simulate an unreachable state
4. Check the log and you'll see DoH refuses to use ISP 2 no matter what

Image
 
DarkNate
Member Candidate
Member Candidate
Posts: 203
Joined: Fri Jun 26, 2020 4:37 pm

Re: DNS over HTTPS

Sun Aug 16, 2020 3:05 pm

Dear All
has anybody tested IPV6 DNS over HTTPS?
It seems to be working already as per the connection tracking in the firewall on IPv6, I can see DoH traffic to Cloudflare initiated by the client devices using advertised DNS from RouterOS.
 
fsgrbv
just joined
Posts: 2
Joined: Wed Nov 14, 2018 11:47 am

Re: DNS over HTTPS

Sun Aug 16, 2020 9:56 pm

Dear All
has anybody tested IPV6 DNS over HTTPS?

Yes. I've tested with:
/ip dns set use-doh-server=https://dns64.cloudflare-dns.com/dns-query verify-doh-cert=yes
Unfortunately, It does not work.


Even though ipv6 works OK.
[admin@MikroTik] > put [resolve dns64.cloudflare-dns.com]
2606:4700:4700::64
[admin@MikroTik] > ping 2606:4700:4700::64      
  SEQ HOST                                     SIZE TTL TIME  STATUS                                         
    0 2606:4700:4700::64                         56  61 24ms  echo reply                                     
    1 2606:4700:4700::64                         56  61 24ms  echo reply                                     
    2 2606:4700:4700::64                         56  61 23ms  echo reply                                     
    sent=3 received=3 packet-loss=0% min-rtt=23ms avg-rtt=23ms max-rtt=24ms 

IPv4 DoH (
/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
) works OK too.
 
DarkNate
Member Candidate
Member Candidate
Posts: 203
Joined: Fri Jun 26, 2020 4:37 pm

Re: DNS over HTTPS

Mon Aug 17, 2020 10:56 pm

Dear All
has anybody tested IPV6 DNS over HTTPS?

Yes. I've tested with:
/ip dns set use-doh-server=https://dns64.cloudflare-dns.com/dns-query verify-doh-cert=yes
Unfortunately, It does not work.


Even though ipv6 works OK.
[admin@MikroTik] > put [resolve dns64.cloudflare-dns.com]
2606:4700:4700::64
[admin@MikroTik] > ping 2606:4700:4700::64      
  SEQ HOST                                     SIZE TTL TIME  STATUS                                         
    0 2606:4700:4700::64                         56  61 24ms  echo reply                                     
    1 2606:4700:4700::64                         56  61 24ms  echo reply                                     
    2 2606:4700:4700::64                         56  61 23ms  echo reply                                     
    sent=3 received=3 packet-loss=0% min-rtt=23ms avg-rtt=23ms max-rtt=24ms 

IPv4 DoH (
/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
) works OK too.
dns64.cloudflare-dns.com is for NAT64 networks. In most cases ISPs give native IPv6 with CGNATted IPv4 or public IPv4.

https://cloudflare-dns.com/dns-query would be the correct one to use, it works for both IPv4 and native IPv6.
 
User avatar
Tubeorange667
just joined
Posts: 11
Joined: Sat Jul 11, 2020 3:47 pm
Location: Kochi, Kerala

Re: DNS over HTTPS

Tue Aug 18, 2020 10:13 am

I got everything working with nextdns. Here is what i did.
make sure you change <id> for your config id): for Example if your id is "99b212" you can give .... /ip dns set use-doh-server=https://dns.nextdns.io/99b212 verify-doh-cert=yes
if you want to display the device name just add it in the last after putting "/" like this ... /ip dns set use-doh-server=https://dns.nextdns.io/99b212/mikrotik


tool fetch url=https://curl.haxx.se/ca/cacert.pem
/certificate import file-name=cacert.pem passphrase=""
/ip dns set servers=
/ip dns static add name=dns.nextdns.io address=45.90.28.0 type=A
/ip dns static add name=dns.nextdns.io address=45.90.30.0 type=A
/ip dns static add name=dns.nextdns.io address=2a07:a8c0:: type=AAAA
/ip dns static add name=dns.nextdns.io address=2a07:a8c1:: type=AAAA
/ip dns set use-doh-server=“https://dns.nextdns.io/<id>” verify-doh-cert=yes
Untitled-1.jpg
You do not have the required permissions to view the files attached to this post.
 
Pea
Member Candidate
Member Candidate
Posts: 228
Joined: Fri Jul 17, 2015 11:07 pm
Location: Czech

Re: DNS over HTTPS

Tue Aug 18, 2020 10:38 am

Why do you import all 138 CA certificates? Isn't it better do import only the one needed?
 
User avatar
Tubeorange667
just joined
Posts: 11
Joined: Sat Jul 11, 2020 3:47 pm
Location: Kochi, Kerala

Re: DNS over HTTPS

Tue Aug 18, 2020 11:00 am

Why do you import all 138 CA certificates? Isn't it better do import only the one needed?
I did not find anything specific in the certificate list which points to "nextdns". so i imported all. How can i find the one which is used by nextdns?
 
Pea
Member Candidate
Member Candidate
Posts: 228
Joined: Fri Jul 17, 2015 11:07 pm
Location: Czech

Re: DNS over HTTPS

Tue Aug 18, 2020 11:04 am

Just try with this one:
You do not have the required permissions to view the files attached to this post.
 
User avatar
Tubeorange667
just joined
Posts: 11
Joined: Sat Jul 11, 2020 3:47 pm
Location: Kochi, Kerala

Re: DNS over HTTPS

Tue Aug 18, 2020 12:07 pm

I am not finding anything like that in the certificates list. I tried to remove everything except the name 'digicert". But thats not working. it does not starts with this name. its something else.
 
nrgch
just joined
Posts: 1
Joined: Mon Sep 21, 2020 9:14 pm

Re: DNS over HTTPS

Mon Sep 21, 2020 9:53 pm

Is it possible, that i'm getting "DoH server connection error: Idle timeout - waiting data" because i'm using two different ISPs at the same time on one PC with two ethernet adapters and two different routers and they don't know anything about each other?
2nd router is not Mikrotik and it's not logging any problems about DoH.
Other than that log message i'm not having any problems with internet connectivity, whether it is any router separately or both at the same time. Both are configured properly for using DoH.
I'm just curious about that log message, nothing more. Everything's working just fine.
Thanks.
 
IYARINDRA
just joined
Posts: 16
Joined: Fri Apr 07, 2017 6:13 pm

Re: DNS over HTTPS

Mon Oct 12, 2020 11:20 am

Any guide for Google DoH settings ?
### Google DoH
/ip dns set servers=8.8.8.8,8.8.4.4
/system ntp client set enabled=yes primary-ntp=time.google.com
/tool fetch url=https://pki.goog/roots.pem
/certificate import file-name=roots.pem passphrase=""
/ip dns set use-doh-server=https://dns.google/dns-query verify-doh-cert=yes
/ip dns set allow-remote-requests=yes cache-max-ttl=1d use-doh-server=https://dns.google/dns-query verify-doh-cert=yes
/ip dns static
add address=8.8.8.8 name=dns.google
add address=8.8.4.4 name=dns.google
/ip dns set servers=""

### Script for certfificates update
/system script add dont-require-permissions=no name=Certificate_Google policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/tool fetch url=https://pki.goog/roots.pem\r\n/certificate import file-name=roots.pem passphrase=\"\""

### Script for DNS cache flush
/system script add dont-require-permissions=no name=DNS_Flush_Cache policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/ip dns cache flush"

### Schedule to update google certificate once a week 
/system scheduler add comment="Google Certificate Update" interval=1w name=Certificate_Google_Update on-event=Certificate_Google policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/06/2019 start-time=05:20:00

### Schedule to flush dns cache everyday
/system scheduler add comment="DoH Cache Flush" interval=1d name="DNS Cache Flush" on-event=DNS_Flush_Cache policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/06/2019 start-time=05:30:00
 
DarkNate
Member Candidate
Member Candidate
Posts: 203
Joined: Fri Jun 26, 2020 4:37 pm

Re: DNS over HTTPS

Mon Oct 12, 2020 4:32 pm

I ditched ROS DoH completely and replaced it with Cloudflared binary + Pi-Hole now DoH works 100% of the time with zero errors. Zero problems whatsoever.

DoH on ROS was and still is broken.
 
hendra
newbie
Posts: 33
Joined: Wed Nov 22, 2017 2:21 am

Re: DNS over HTTPS

Sun Oct 18, 2020 10:36 am

I ditched ROS DoH completely and replaced it with Cloudflared binary + Pi-Hole now DoH works 100% of the time with zero errors. Zero problems whatsoever.

DoH on ROS was and still is broken.
can u tell me the step to do this?
 
DarkNate
Member Candidate
Member Candidate
Posts: 203
Joined: Fri Jun 26, 2020 4:37 pm

Re: DNS over HTTPS

Sun Oct 18, 2020 12:45 pm

I ditched ROS DoH completely and replaced it with Cloudflared binary + Pi-Hole now DoH works 100% of the time with zero errors. Zero problems whatsoever.

DoH on ROS was and still is broken.
can u tell me the step to do this?
https://docs.pi-hole.net/main/prerequisites/

https://docs.pi-hole.net/guides/dns-over-https/
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5766
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS over HTTPS

Sun Oct 18, 2020 5:34 pm

Hi Darknate,
I am interested in how you added the pi-hole to the MT Router for this functionality.
Is it on its own subnet for example.
How do you point users to pi-hole.
How do you point pi-hole to the external servers you wish to use
What firewall rules are germane to the setup for the pihole and users
What DNS rules are germane to the setup for the pihole and users.

In other words, configuring the pi-hole may be the easy part.
I tried using pi-hole once, and the family got upset real fast when it worked in broken fashion or not at all and I couldnt afford to play at it anylonger.
So looking for the config snippets for all pi-hole related entries, and a schematic to show the concept of how it fits into the network
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
DarkNate
Member Candidate
Member Candidate
Posts: 203
Joined: Fri Jun 26, 2020 4:37 pm

Re: DNS over HTTPS

Sun Oct 18, 2020 10:05 pm

Hi Darknate,
I am interested in how you added the pi-hole to the MT Router for this functionality.
Is it on its own subnet for example.
How do you point users to pi-hole.
How do you point pi-hole to the external servers you wish to use
What firewall rules are germane to the setup for the pihole and users
What DNS rules are germane to the setup for the pihole and users.

In other words, configuring the pi-hole may be the easy part.
I tried using pi-hole once, and the family got upset real fast when it worked in broken fashion or not at all and I couldnt afford to play at it anylonger.
So looking for the config snippets for all pi-hole related entries, and a schematic to show the concept of how it fits into the network
I give the Pi a static IP via IP>DHCP>Leases.
Inside IP>DHCP>Networks, simply insert said static IP into the DNS field for that particular DHCP server/network. Clients will automatically grab it.

You don't need to manually IPv6 Link-local. LAN devices will send and receive AAAA just fine over the IPv4 local subnet via Pi-Hole. As long as the Pi-Hole has proper IPv6 config straight from SLAAC/RADVD from the Tik and can reach external IPv6 servers.
The end.

The rest is in the official Pi-Hole config. As stated, I use cloudflared binary+Pi-Hole which I already linked above.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5766
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS over HTTPS

Mon Oct 19, 2020 1:13 am

So if I put the pi-hole on its own VLAN
give it a fixed IP.
I then put that IP address for each of my vlan dhcp-server-network entries?
Do I need firewall rules to allow the pi-hole anything specific on teh input chain?
Do I need firewall rules to allow users from all other vlans to the pi-hole vlan in the forward chain?
If pi-hole isnt working then how will the user then get service (simply put in a second DNS entry there of 1.1.1.1 ) for example assuming order is important and works.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
DarkNate
Member Candidate
Member Candidate
Posts: 203
Joined: Fri Jun 26, 2020 4:37 pm

Re: DNS over HTTPS

Mon Oct 19, 2020 1:51 am

So if I put the pi-hole on its own VLAN
give it a fixed IP.
I then put that IP address for each of my vlan dhcp-server-network entries?
Do I need firewall rules to allow the pi-hole anything specific on teh input chain?
Do I need firewall rules to allow users from all other vlans to the pi-hole vlan in the forward chain?
If pi-hole isnt working then how will the user then get service (simply put in a second DNS entry there of 1.1.1.1 ) for example assuming order is important and works.
I haven't used VLANs, can't help you there.
Default firewall rules are enough for bridge config. The order makes no difference from my testing, not on MikroTik at least in regards to DNS IPs inside the DHCP server. The point is to ensure Pi-Hole is stable for 24/7 use.
 
User avatar
maxslug
just joined
Posts: 21
Joined: Sun Aug 30, 2020 7:07 am

Re: DNS over HTTPS

Sun Nov 15, 2020 11:31 pm

Thanks IYARINDRA, I switched over to Google's DOH server and used your scripts.
 
patrickmkt
Member Candidate
Member Candidate
Posts: 174
Joined: Sat Jul 28, 2012 5:21 pm

Re: DNS over HTTPS

Wed Nov 18, 2020 9:36 pm

Has someone figure out how to get proper CRL download while using DoH?

I am still having the "DoH sever connection error: SSL: handshake failed: unable to get certificate CRL"
 
storrgie
just joined
Posts: 5
Joined: Mon Aug 10, 2020 12:34 am

Re: DNS over HTTPS

Fri Dec 04, 2020 2:29 am

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""
Are you aware of a way to do this that doesn't import over 100 certificates?

Sorry, rephrase, I don't think that in 7b1,7b2,7b3 that this has worked. With all of these certificates, verification won't work.
 
Sob
Forum Guru
Forum Guru
Posts: 6303
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS over HTTPS

Fri Dec 04, 2020 2:53 am

Are you aware of a way to do this that doesn't import over 100 certificates?
This one is enough: https://cacerts.digicert.com/DigiCertGl ... CA.crt.pem

Edit: It doesn't work for me with v7 either (v6 works fine).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
storrgie
just joined
Posts: 5
Joined: Mon Aug 10, 2020 12:34 am

Re: DNS over HTTPS

Fri Dec 04, 2020 4:10 pm

Edit: It doesn't work for me with v7 either (v6 works fine).
Right, wanted Normis to see this.

Who is online

Users browsing this forum: okriso, stevenpeterson and 140 guests