Community discussions

MikroTik App
 
souravmaiti
just joined
Topic Author
Posts: 3
Joined: Wed Apr 22, 2020 9:06 am

DNS over HTTPS

Wed Apr 22, 2020 9:10 am

Mikrotik 6.47 has been introduced long awaited DoH.
But when I put any DoH server (for example https://cloudflare-dns.com/dns-query ) it gives error
DoH Connection Error, Idle Timeout.

Any clue ?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Wed Apr 22, 2020 9:25 am

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""
 
souravmaiti
just joined
Topic Author
Posts: 3
Joined: Wed Apr 22, 2020 9:06 am

Re: DNS over HTTPS

Wed Apr 22, 2020 11:21 am

Any guide for Google DoH settings ?
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Wed Apr 22, 2020 11:24 am

For Google you still a first resolve through a normal DNS or it will not know how to reach the DOH of Google. Cloudflare used a trick to by putting 1.1.1.1 as alternative name in their certificate.
Last edited by msatter on Wed Apr 22, 2020 11:26 am, edited 1 time in total.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: DNS over HTTPS

Wed Apr 22, 2020 11:26 am

Do the same, but with different url: https://8.8.8.8/dns-query
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: DNS over HTTPS

Wed Apr 22, 2020 11:32 am

Uh, google does a redirect there... So use this:
/ip dns static add address=8.8.8.8 name=dns.google
/ip dns static add address=8.8.4.4 name=dns.google
/ip dns set use-doh-server=https://dns.google/dns-query verify-doh-cert=yes
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Wed Apr 22, 2020 11:45 am

He either should turn off the certificate check, or find google certificates.
Also it's not correct to use DNS name in the DNS server address
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: DNS over HTTPS

Wed Apr 22, 2020 11:57 am

The file you linked includes the certificates required for google services, no?
So my commands were intended on top of yours.

I think it's not possible to use google DoH without DNS name in url. Or do you have a working one with ip address?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: DNS over HTTPS

Wed Apr 22, 2020 12:20 pm

I just added this to Use Doh Server
https://1.1.1.1/dns-query
I think its better to use IP only, so you do not need extra DNS server, to just resolve the DoH server
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: DNS over HTTPS

Wed Apr 22, 2020 1:21 pm

Yes, that's true in general and for Cloudflare. But google does not allow to use https://8.8.8.8/dns-query directly. It sends a redirect in HTTP header to https://dns.google/dns-query.

Well, checking again... It does send a redirect, but the dns response is contained as well...
% curl -I 'https://8.8.8.8/dns-query?dns=AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE'
HTTP/2 301 
location: https://dns.google/dns-query?dns=AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE
content-type: text/html; charset=UTF-8
x-content-type-options: nosniff
date: Wed, 22 Apr 2020 08:29:24 GMT
expires: Thu, 23 Apr 2020 08:29:24 GMT
server: sffe
content-length: 269
x-xss-protection: 0
cache-control: public, max-age=86400
age: 6656
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,h3-T050=":443"; ma=2592000
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Wed Apr 22, 2020 1:57 pm

Uh, google does a redirect there... So use this:
/ip dns static add address=8.8.8.8 name=dns.google
/ip dns static add address=8.8.4.4 name=dns.google
/ip dns set use-doh-server=https://dns.google/dns-query verify-doh-cert=yes
Maybe this can be combined to a bootstrap IP. Also adding the direct IP in the DOH setting used only (once) to bootstrap the DoH. No need for static then.

Leaves the problem with the certificate not being retrieved on it own.
 
sohel07
just joined
Posts: 20
Joined: Sun Oct 20, 2019 11:26 pm

Re: DNS over HTTPS

Sat May 23, 2020 7:09 pm

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""
But I unable to access the internet until I set a DNS.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS over HTTPS

Sat May 23, 2020 7:22 pm

Okay after some reading my questions boil down to
Q. Advantage of MT router implementation over simply using firefox?
- it covers any browser being used?

Why not make Doh, part of the default setup for routers coming from the factory??

Right now for dynamic servers I have listed in order 1.1.1.1, 1.0.0.1, 9.9.9.9
Do I have to remove th third entry 9.9.9.9 (will it eff up the plan)?

There is no such entry as /IP system NTP client.
(System is a separate entry and what it has is an SNTP client which I use to provide time.).

Okay so maybe I am missing a NTP package? Do I need it or can I use the sntp module??

Okay So I loaded the NTP package. Do I keep the current sntp setup (designed for time only) assuming this NTP setup is for DoH??
Last edited by anav on Sat May 23, 2020 8:35 pm, edited 1 time in total.
 
vortex
Forum Guru
Forum Guru
Posts: 1092
Joined: Sat Feb 16, 2013 6:10 pm

Re: DNS over HTTPS

Sat May 23, 2020 8:09 pm

How could it be the default if you don't know which service you can trust?
 
dave864
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Fri Mar 11, 2016 2:37 pm

Re: DNS over HTTPS

Sun May 24, 2020 5:11 pm

This is great news.
Does anyone know the url to fetch the google cert?
 
foolbaby
just joined
Posts: 18
Joined: Sun Feb 07, 2010 5:02 pm

Re: DNS over HTTPS

Tue May 26, 2020 2:04 pm

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""
thanks, its work but sometimes it gives error :
15:28:41 dns,error DoH server connection error: remote disconnected while in HTTP exchange
15:29:37 dns,error DoH server connection error: SSL: std failure: timeout (13)
15:29:42 dns,error DoH server connection error: SSL: handshake timed out (6)
15:29:42 dns,error DoH server connection error: SSL: internal error (6)
15:29:42 dns,error DoH server connection error: Idle timeout - connecting
17:52:53 dns,error DoH server connection error: Idle timeout - waiting data

i hope DoH gets better in the next release
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Tue May 26, 2020 2:47 pm

can you ping the DoH server?
 
foolbaby
just joined
Posts: 18
Joined: Sun Feb 07, 2010 5:02 pm

Re: DNS over HTTPS

Tue May 26, 2020 2:50 pm

can you ping the DoH server?
yes it can ping.
but its happen sometimes . its just new setup. still on monitoring.
 
TheDoctor
just joined
Posts: 13
Joined: Wed Dec 18, 2019 10:52 am

Re: DNS over HTTPS

Tue May 26, 2020 7:28 pm

/ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes

expected end of command (line 1 column 12)

is there any solution, please, for 6.46.6 ?
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: DNS over HTTPS

Tue May 26, 2020 8:06 pm

This is not supposed in 6.46.6. You have to use 6.47 for that feature.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: DNS over HTTPS

Tue May 26, 2020 8:48 pm

And 6.47 is still in testing :)
 
foolbaby
just joined
Posts: 18
Joined: Sun Feb 07, 2010 5:02 pm

Re: DNS over HTTPS

Tue May 26, 2020 9:11 pm

can you ping the DoH server?
maybe this is the problem.
or maybe my router is to old :D lol
the cpu gets down when i disable the nat for transparent dns.
and what is the meaning of this warning logs ?
may/27 01:04:34 dns,warning DoH max concurrent queries reached, ignoring query 
You do not have the required permissions to view the files attached to this post.
 
TheDoctor
just joined
Posts: 13
Joined: Wed Dec 18, 2019 10:52 am

Re: DNS over HTTPS

Tue May 26, 2020 9:52 pm

And 6.47 is still in testing :)

is it possible to talk about some release dates according to 6.47 or it is extremely premature ?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: DNS over HTTPS

Tue May 26, 2020 10:00 pm

6.47 RC was just released over here: viewtopic.php?f=21&t=161583
 
shunkica
newbie
Posts: 48
Joined: Sat Mar 03, 2018 2:19 pm

Re: DNS over HTTPS

Sun Jun 07, 2020 10:02 am

How can I use multiple DoH servers in case first one is unreachable?
Why does it not fall back to DNS servers if the DoH server is unreachable?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: DNS over HTTPS

Sun Jun 07, 2020 5:18 pm

We did have a discussion about that over here: viewtopic.php?p=798678#p798678

I have added a second DoH server. Did not find out how/where to get the certificate for it, so it will use Cloud Flare with certificate and google without.
:local result yes
:do {tool fetch url="https://1.1.1.1/dns-query\?name=mikrotik.ca%26type=A" output=file dst-path=result \
    http-header-field=accept:application/dns-json} on-error={:set result no}
:if $result do={
  /ip dns set servers="" use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
} else={
  /ip dns set allow-remote-requests=yes servers=8.8.8.8 use-doh-server=https://dns.google/dns-query verify-doh-cert=no
}
PS google needs to use DNS name in URL to work, so 8.8.8.8 is added. It will not be used for other clients,
Mikrotik should add a possibility for multiple DoH and/or fallback to old/normal DNS reques.t
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: DNS over HTTPS

Sun Jun 07, 2020 5:42 pm

PS google needs to use DNS name in URL to work, so 8.8.8.8 is added. It will not be used for other clients
I am afraid of frying my router's flash, so I don't run 6.47 yet; do static entries have precedence over DoH? If yes, I'd rather use

/ip dns static
add name=dns.google address=8.8.8.8
add name=dns.google address=8.8.4.4


than

/ip dns set servers=8.8.8.8,8.8.4.4
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Sun Jun 07, 2020 6:47 pm

No, except for FWD.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS over HTTPS

Sun Jun 07, 2020 8:02 pm

I think you meant "Yes, except for FWD". Static entries are still preferred with DoH, except FWDs, those are currently ignored. There are also other differences but they don't affect @sindy's use case.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: DNS over HTTPS

Sun Jun 07, 2020 8:09 pm

do static entries have precedence over DoH? If yes, I'd rather use
I can confirm that it is. And agree that a static entry is a better solution.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Sun Jun 07, 2020 10:02 pm

I think you meant "Yes, except for FWD". Static entries are still preferred with DoH, except FWDs, those are currently ignored. There are also other differences but they don't affect @sindy's use case.
I had this posting in my memory: viewtopic.php?f=21&t=161583#p795962
And some where I picked up that FWD was an exception.

But then I won't touch DoH again, even with a long poke. ;-) It is just a dream for the big firms collecting information come true, people just (want to) don't see that.

You can argue that are free to choose a more private aware DNS servers but 99% will use Google and Cloudflare in the end....sounds of popping champagne bottles in the background.

That is why I am not happy with Mikrotik implementing it after bring pressured to do that by many post here asking for it. :?

Use unbound or Knot resolver through a VPN tunnel. DoH gives you a false security.

This does not mean DoH has not a place. It has a place in countries that don't allow unchanged DNS usage and VPN. DNS is even sabotaged by returning the wrong root servers IP addresses as Sky UK did or still is doing. Breaking resolving by yourself.

Sadly there are to many people that not aware how we are watched all the time. It is a step back instead of being a step forward in privacy.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: DNS over HTTPS

Sun Jun 07, 2020 10:19 pm

You can argue that are free to choose a more private aware DNS servers but 99% will use Google and Cloudflare in the end....sounds of popping champagne bottles in the background.
I was in Turkey last year, and there Wikipedia was blocked used DNS block. DoH agent om my PC solved this fine. Also I do not like that my ISP or governmental can spy on my traffic.

Running DoH on MikroTik since first beta, and I have nothing negative to say about it. It resolves all my requests :)
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Sun Jun 07, 2020 11:10 pm

You can argue that are free to choose a more private aware DNS servers but 99% will use Google and Cloudflare in the end....sounds of popping champagne bottles in the background.
I was in Turkey last year, and there Wikipedia was blocked used DNS block. DoH agent om my PC solved this fine. Also I do not like that my ISP or governmental can spy on my traffic.

Running DoH on MikroTik since first beta, and I have nothing negative to say about it. It resolves all my requests :)
And I referred in my posting the DoH has right to exist but not for daily/constant usage. If you live in Turkey or China or any other totalitarian county then you have my blessing.

It like saying McDonalds is healthy, because you order a salad with you burger and sugary drink.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS over HTTPS

Sun Jun 07, 2020 11:35 pm

It's a tool like any other. A hammer can be used to hit a nail or someone's head, it's everyone's choice, but you don't blame the hammer. Same with DoH, you can use different public servers or run your own. If you're affraid of Google and friends, you probably shouldn't use their servers.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: DNS over HTTPS

Sun Jun 07, 2020 11:37 pm

It like saying McDonalds is healthy, because you order a salad with you burger and sugary drink.
And if you connect to the "free" Wifi in McDonald, the they can spy on all your DNS requests to see what the clients surf on when thy are there. A VPN is a better solution, but just shows that any can spy on you.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS over HTTPS

Sun Jun 07, 2020 11:57 pm

I am getting hungry!

PS, I will implement DoH in honour of homer simpson and if Jotne can convince me that there is no loss in performance and my internet traffic is better concealed from the scammers of commercialism and the dictatorships of secret police be they chinese, russian, american or north korean LOL.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: DNS over HTTPS

Mon Jun 08, 2020 12:05 am

Best is to remove internet complete, than your are a lot more secure. :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS over HTTPS

Mon Jun 08, 2020 12:29 am

Best is to remove internet complete, than your are a lot more secure. :)
Not true, just facebook, instagram, snapchat, twitter and tik tok.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Mon Jun 08, 2020 12:56 am

It's a tool like any other. A hammer can be used to hit a nail or someone's head, it's everyone's choice, but you don't blame the hammer. Same with DoH, you can use different public servers or run your own. If you're affraid of Google and friends, you probably shouldn't use their servers.
The nail has the choice which side to sink in, head or wood. Though one. With a hamer the direction to go, is clear.

VPN is also a trust you have in the provider you have chosen. Running your own resolver is easy these days and you have still only choose wich taste you want.

Encypting the connection for a tiny amount of traffic is time consuming, so reusing the already encrypted connection is speeding up things if resolve requests are many.
 
BlackFate
newbie
Posts: 30
Joined: Fri Aug 10, 2012 2:22 pm

Re: DNS over HTTPS

Mon Jun 08, 2020 1:24 am

Not sure why Mikrotik never implimeneted DoT and went for DoH. Routers are tools to implement and include to network designs. It makes absolutely no sense to pick DoH over DoT in routers. Leave DoH for the browsers :)
Mikrotik should be promoting good network practices, not the latest gimmic because some overexcited teenager requested it in a forum post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS over HTTPS

Mon Jun 08, 2020 2:24 am

Probably because it was easier?
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Mon Jun 08, 2020 3:14 pm

I have to apologize for calling hamburges with McDonalds unhealty.

Eating one McDonalds hamburger yourself does not mean that all McDonalds hamburger are unhealthy also.



Just trying to be inculsive. ;-)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS over HTTPS

Mon Jun 08, 2020 4:34 pm

Its called JUNK food for a reason. ;-)
You were right the first time.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS over HTTPS

Mon Jun 08, 2020 4:34 pm

If one is predisposed to eating at McD as a primary food source, I will help you in assisted ..............., for a lot less $$ and a lot quicker (no suffering for those last 10-20 years).
 
shunkica
newbie
Posts: 48
Joined: Sat Mar 03, 2018 2:19 pm

Re: DNS over HTTPS

Wed Jun 10, 2020 2:35 am

I have added a second DoH server. Did not find out how/where to get the certificate for it, so it will use Cloud Flare with certificate and google without.
What do you mean? How did you add a second DoH server?
If you mean the script you posted that is not adding a second DoH server. It is just replacing the one DoH server :)

This contains GlobalSign Root CA - R2, among others, which is what dns.google uses: https://curl.haxx.se/ca/cacert.pem
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: DNS over HTTPS

Wed Jun 10, 2020 8:35 am

If you mean the script you posted that is not adding a second DoH server. It is just replacing the one DoH server :)
It depends on the point if view. As the script monitors the responsiveness of the primary server and replaces it in the configuration by the secondary one whenever it stops responding, and puts back the primary one once it starts responding again, it can be seen as "adding a second one". Yes, it modifies configuration (so writes to flash), yes, it has to be spawned quite often to be useful (so it wastes some CPU), but it serves the purpose.

And there is a minor mistake in it which I've noticed later, there should be a plain & at the place of the %26. Minor because the server does respond (so the monitoring goal is met) but provides no Answer section with the %26 in place.

What is worse is that the Cloudflare does respond whereas Google returns 400 Bad Request (even with the &).
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: DNS over HTTPS

Wed Jun 10, 2020 10:06 am

What do you mean? How did you add a second DoH server?
Just as Sindy writes. Using a fail-over script to a second server.
What can also be done, is to setup three routes. One with two DNS points to the two other. Then the two other running each own DoH.
Will test the google cert
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: DNS over HTTPS

Wed Jun 10, 2020 10:18 am

This contains GlobalSign Root CA - R2, among others, which is what dns.google uses: https://curl.haxx.se/ca/cacert.pem
This worked, but installed 137 Certificates :-o
Do I need all? Can I see what is use?
 
TheSirStumfy
Frequent Visitor
Frequent Visitor
Posts: 90
Joined: Sun Oct 14, 2018 7:54 pm

Re: DNS over HTTPS

Wed Jun 10, 2020 10:59 am

You only need the root certificate of the service you want to use.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: DNS over HTTPS

Wed Jun 10, 2020 11:11 am

And from this list what is the root certificate needed for DoH to work?
 1       T cacert.pem_0         GlobalSign Root CA                                                                      ebd41040e4bb3ec742c9e38...
 2  L    T cacert.pem_1         GlobalSign                                                                              ca42dd41745fd0b81eb9023...
 3       T cacert.pem_2         VeriSign Class 3 Public...                                                              eb04cf5eb1f39afa762f2bb...
 4       T cacert.pem_3         Entrust.net Certificati...                                                              6dc47172e01cbcb0bf62580...
 5       T cacert.pem_4         Baltimore CyberTrust Root                                                               16af57a9f676b0ab126095a...
 6      ET cacert.pem_5         AddTrust External CA Root                                                               687fa451382278fff0c8b11...
 7       T cacert.pem_6         Entrust Root Certificat...                                                              73c176434f1bc6d5adf45b0...
 8       T cacert.pem_7         GeoTrust Global CA                                                                      ff856a2d251dcd88d36656f...
 9       T cacert.pem_8         GeoTrust Universal CA                                                                   a0459b9f63b22559f5fa5d4...
10       T cacert.pem_9         GeoTrust Universal CA 2                                                                 a0234f3bc8527ca5628eec8...
11  L    T cacert.pem_10        AAA Certificate Services                                                                d7a7a0fb5d7e2731d771e94...
12       T cacert.pem_11        QuoVadis Root Certifica...                                                              a45ede3bbbf09c8ae15c72e...
13       T cacert.pem_12        QuoVadis Root CA 2                                                                      85a0dd7dd720adb7ff05f83...
14       T cacert.pem_13        QuoVadis Root CA 3                                                                      18f1fc7f205df8adddeb7fe...
15       T cacert.pem_14                                                                                                e75e72ed9f560eec6eb4800...
16       T cacert.pem_15        Sonera Class2 CA                                                                        7908b40314c138100b518d0...
17  L    T cacert.pem_16        XRamp Global Certificat...                                                              cecddc905099d8dadfc5b1d...
18       T cacert.pem_17                                                                                                c3846bf24b9e93ca64274c0...
19       T cacert.pem_18                                                                                                1465fa205397b876faa6f0a...
20       T cacert.pem_19                                                                                                7600295eefe85b9e1fd624d...
21       T cacert.pem_20        DigiCert Assured ID Roo...                                                              3e9099b5015e8f486c00bce...
22       T cacert.pem_21        DigiCert High Assurance...                                                              7431e5f4c3c1ce4690774f0...
23       T cacert.pem_22        DST Root CA X3                                                                          0687260331a72403d909f10...
24       T cacert.pem_23        SwissSign Gold CA - G2                                                                  62dd0be9b9f50a163ea0f8e...
25       T cacert.pem_24        SwissSign Silver CA - G2                                                                be6c4da2bbb9ba59b6f3939...
26       T cacert.pem_25        GeoTrust Primary Certif...                                                              37d51006c512eaab626421f...
27       T cacert.pem_26        thawte Primary Root CA                                                                  8d722f81a9c113c0791df13...
28       T cacert.pem_27        VeriSign Class 3 Public...                                                              9acfab7e43c8d880d06b262...
29  L    T cacert.pem_28        SecureTrust CA                                                                          f1c1b50ae5a20dd8030ec9f...
30  L    T cacert.pem_29        Secure Global CA                                                                        4200f5043ac8590ebb527d2...
31  L    T cacert.pem_30        COMODO Certification Au...                                                              0c2cd63df7806fa399ede80...
32  L    T cacert.pem_31        Network Solutions Certi...                                                              15f0ba00a3ac7af3ac884c0...
33       T cacert.pem_32        COMODO ECC Certificatio...                                                              1793927a0614549789adce2...
34       T cacert.pem_33        OISTE WISeKey Global Ro...                                                              41c923866ab4cad6b7ad578...
35       T cacert.pem_34        Certigna                                                                                e3b6a2db2ed7ce48842f7ac...
36  L    T cacert.pem_35        Cybertrust Global Root                                                                  960adf0063e96356750c296...
37       T cacert.pem_36                                                                                                c0a6f4dc63a24bfdcf54ef2...
38       T cacert.pem_37                                                                                                eaa962c4fa4a6bafebe4151...
39       T cacert.pem_38        GeoTrust Primary Certif...                                                              b478b812250df878635c2aa...
40       T cacert.pem_39        thawte Primary Root CA ...                                                              a4310d50af18a6447190372...
41       T cacert.pem_40        thawte Primary Root CA ...                                                              4b03f45807ad70f21bfc2ca...
42       T cacert.pem_41        GeoTrust Primary Certif...                                                              5edb7ac43b82a06a8761e8d...
43       T cacert.pem_42        VeriSign Universal Root...                                                              2399561127a57125de8cefe...
44       T cacert.pem_43        VeriSign Class 3 Public...                                                              69ddd7ea90bb57c93e135dc...
45       T cacert.pem_44                                                                                                6c61dac3a2def031506be03...
46      ET cacert.pem_45        Staat der Nederlanden R...                                                              668c83947da63b724bece17...
47       T cacert.pem_46        Hongkong Post Root CA 1                                                                 f9e67d336c51002ac054c63...
48       T cacert.pem_47        SecureSign RootCA11                                                                     bf0feefb9e3a581ad5f9e9d...
49       T cacert.pem_48        Microsec e-Szigno Root ... email:info@e-szigno.hu                                       3c5f81fea5fab82c64bfa2e...
50       T cacert.pem_49        GlobalSign                                                                              cbb522d7b7f127ad6a01138...
51       T cacert.pem_50        Autoridad de Certificac...                                                              04048028bf1f2864d48f9ad...
52       T cacert.pem_51        Izenpe.com                 email:info@izenpe.com                                        2530cc8e98321502bad96f9...
53       T cacert.pem_52        Chambers of Commerce Ro...                                                              063e4afac491dfd332f3089...
54       T cacert.pem_53        Global Chambersign Root...                                                              136335439334a7698016a0d...
55       T cacert.pem_54        Go Daddy Root Certifica...                                                              45140b3247eb9cc8c5b4f0d...
56       T cacert.pem_55        Starfield Root Certific...                                                              2ce1cb0bf9d2f9e102993fb...
57       T cacert.pem_56        Starfield Services Root...                                                              568d6905a2c88708a4b3025...
58       T cacert.pem_57        AffirmTrust Commercial                                                                  0376ab1d54c5f9803ce4b2e...
59       T cacert.pem_58        AffirmTrust Networking                                                                  0a81ec5a929777f145904af...
60       T cacert.pem_59        AffirmTrust Premium                                                                     70a73f7f376b60074248904...
61       T cacert.pem_60        AffirmTrust Premium ECC                                                                 bd71fdf6da97e4cf62d1647...
62       T cacert.pem_61        Certum Trusted Network CA                                                               5c58468d55f58e497e74398...
63       T cacert.pem_62        TWCA Root Certification...                                                              bfd88fe1101c41ae3e801bf...
64       T cacert.pem_63                                                                                                513b2cecb810d4cde5dd853...
65       T cacert.pem_64        EC-ACC                     email:ec_acc@catcert.net                                     88497f01602f3154246ae28...
66       T cacert.pem_65        Hellenic Academic and R...                                                              bc104f15a48be709dca542a...
67       T cacert.pem_66        Actalis Authentication ...                                                              55926084ec963a64b96e2ab...
68       T cacert.pem_67                                                                                                c1b48299aba5208fe9630ac...
69       T cacert.pem_68        Buypass Class 2 Root CA                                                                 9a114025197c5bb95d94e63...
70       T cacert.pem_69        Buypass Class 3 Root CA                                                                 edf7ebbca27a2a384d387b7...
71       T cacert.pem_70        T-TeleSec GlobalRoot Cl...                                                              fd73dad31c644ff1b43bef0...
72       T cacert.pem_71        EE Certification Centre...                                                              3e84ba4342908516e77573c...
73  L    T cacert.pem_72        D-TRUST Root Class 3 CA...                                                              49e7a442acf0ea628705005...
74  L    T cacert.pem_73        D-TRUST Root Class 3 CA...                                                              eec5496b988ce98625b9340...
75       T cacert.pem_74        CA Disig Root R2                                                                        e23d4a036d7b70e9f595b14...
76  L    T cacert.pem_75        ACCVRAIZ1                  email:accv@accv.es                                           9a6ec012e1a7da9dbe34194...
77       T cacert.pem_76        TWCA Global Root CA                                                                     59769007f7685d0fcd50872...
78       T cacert.pem_77        TeliaSonera Root CA v1                                                                  dd6936fe21f8f077c123a1a...
79       T cacert.pem_78        E-Tugra Certification A...                                                              b0bfd52bb0d7d9bd92bf5d4...
80       T cacert.pem_79        T-TeleSec GlobalRoot Cl...                                                              91e2f5788d5810eba7ba587...
81       T cacert.pem_80        Atos TrustedRoot 2011                                                                   f356bea244b7a91eb35d53c...
82       T cacert.pem_81        QuoVadis Root CA 1 G3                                                                   8a866fd1b276b57e578e921...
83       T cacert.pem_82        QuoVadis Root CA 2 G3                                                                   8fe4fb0af93a4d0d67db0be...
84       T cacert.pem_83        QuoVadis Root CA 3 G3                                                                   88ef81de202eb018452e43f...
85       T cacert.pem_84        DigiCert Assured ID Roo...                                                              7d05ebb682339f8c9451ee0...
86       T cacert.pem_85        DigiCert Assured ID Roo...                                                              7e37cb8b4c47090cab36551...
87       T cacert.pem_86        DigiCert Global Root G2                                                                 cb3ccbb76031e5e0138f8dd...
88       T cacert.pem_87        DigiCert Global Root G3                                                                 31ad6648f8104138c738f39...
89       T cacert.pem_88        DigiCert Trusted Root G4                                                                552f7bdcf1a7af9e6ce6720...
90       T cacert.pem_89        COMODO RSA Certificatio...                                                              52f0e1c4e58ec629291b603...
91       T cacert.pem_90        USERTrust RSA Certifica...                                                              e793c9b02fd8aa13e21c312...
92       T cacert.pem_91        USERTrust ECC Certifica...                                                              4ff460d54b9c86dabfbcfc5...
93       T cacert.pem_92        GlobalSign                                                                              bec94911c2955676db6c0a5...
94       T cacert.pem_93        GlobalSign                                                                              179fbc148a3dd00fd24ea13...
95       T cacert.pem_94        Staat der Nederlanden R...                                                              3c4fb0b95ab8b30032f432b...
96       T cacert.pem_95        Staat der Nederlanden E...                                                              4d2491414cfe956746ec4ce...
97       T cacert.pem_96        IdenTrust Commercial Ro...                                                              5d56499be4d2e08bcfcad08...
98       T cacert.pem_97        IdenTrust Public Sector...                                                              30d0895a9a448a262091635...
99       T cacert.pem_98        Entrust Root Certificat...                                                              43df5774b03e7fef5fe40d9...
100       T cacert.pem_99        Entrust Root Certificat...                                                              02ed0eb28c14da45165c566.>
101       T cacert.pem_100       CFCA EV ROOT                                                                            5cc3d78e4e1d5e45547a04e.>
102       T cacert.pem_101       OISTE WISeKey Global Ro...                                                              6b9c08e86eb0f767cfad65c.>
103       T cacert.pem_102       SZAFIR ROOT CA2                                                                         a1339d33281a0b56e557d3d.>
104       T cacert.pem_103       Certum Trusted Network ...                                                              b676f2eddae8775cd36cb0f.>
105       T cacert.pem_104       Hellenic Academic and R...                                                              a040929a02ce53b4acf4f2f.>
106       T cacert.pem_105       Hellenic Academic and R...                                                              44b545aa8a25e65a73ca15d.>
107       T cacert.pem_106       ISRG Root X1                                                                            96bcec06264976f37460779.>
108       T cacert.pem_107                                                                                               ebc5570c29018c4d67b1aa1.>
109       T cacert.pem_108       Amazon Root CA 1                                                                        8ecde6884f3d87b1125ba31.>
110       T cacert.pem_109       Amazon Root CA 2                                                                        1ba5b2aa8c65401a8296011.>
111       T cacert.pem_110       Amazon Root CA 3                                                                        18ce6cfe7bf14e60b2e347b.>
112       T cacert.pem_111       Amazon Root CA 4                                                                        e35d28419ed02025cfa6903.>
113       T cacert.pem_112       LuxTrust Global Root 2                                                                  54455f7129c20b1447c418f.>
114       T cacert.pem_113       TUBITAK Kamu SM SSL Kok...                                                              46edc3689046d53a453fb31.>
115       T cacert.pem_114       GDCA TrustAUTH R5 ROOT                                                                  bfff8fd04433487d6a8aa60.>
116       T cacert.pem_115       TrustCor RootCert CA-1                                                                  d40e9c86cd8fe468c177695.>
117       T cacert.pem_116       TrustCor RootCert CA-2                                                                  0753e940378c1bd5e3836e3.>
118       T cacert.pem_117       TrustCor ECA-1                                                                          5a885db19c01d912c575938.>
119       T cacert.pem_118       SSL.com Root Certificat...                                                              85666a562ee0be5ce925c1d.>
120       T cacert.pem_119       SSL.com Root Certificat...                                                              3417bb06cc6007da1b961c9.>
121       T cacert.pem_120       SSL.com EV Root Certifi...                                                              2e7bf16cc22485a7bbe2aa8.>
122       T cacert.pem_121       SSL.com EV Root Certifi...                                                              22a2c1f7bded704cc1e701b.>
123       T cacert.pem_122       GlobalSign                                                                              2cabeafe37d06ca22aba739.>
124       T cacert.pem_123       OISTE WISeKey Global Ro...                                                              8560f91c3624daba9570b5f.>
125       T cacert.pem_124       GTS Root R1                                                                             2a575471e31340bc21581cb.>
126       T cacert.pem_125       GTS Root R2                                                                             c45d7bb08e6d67e62e42351.>
127       T cacert.pem_126       GTS Root R3                                                                             15d5b8774619ea7d54ce1ca.>
128       T cacert.pem_127       GTS Root R4                                                                             71cca5391f9e794b0480253.>
129       T cacert.pem_128       UCA Global G2 Root                                                                      9bea11c976fe014764c1be5.>
130       T cacert.pem_129       UCA Extended Validation...                                                              d43af9b35473755c9684fc0.>
131  L    T cacert.pem_130       Certigna Root CA                                                                        d48d3d23eedb50a459e5519.>
132       T cacert.pem_131       emSign Root CA - G1                                                                     40f6af0346a99aa1cd1d555.>
133       T cacert.pem_132       emSign ECC Root CA - G3                                                                 86a1ecba089c4a8d3bbe273.>
134       T cacert.pem_133       emSign Root CA - C1                                                                     125609aa301da0a249b97a8.>
135       T cacert.pem_134       emSign ECC Root CA - C3                                                                 bc4d809b15189d78db3e1d8.>
136       T cacert.pem_135       Hongkong Post Root CA 3                                                                 5a2fc03f0c83b090bbfa406.>
137       T cacert.pem_136       Entrust Root Certificat...                                                              db3517d1f6732a2d5ab97c5.>
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: DNS over HTTPS

Wed Jun 10, 2020 11:28 am

Open https://dns.google/dns-query in a browser. You'll get a 400 Bad Request, but that doesn't matter, there will be the padlock icon next to the url, click it and get to the certificate details to see the root CA certificate which signs the server one (the exact steps depend on browser).

The above is only true unless you have a spyware (antivirus) installed on your PC, which performs MITM attacks to all TLS traffic so that it could inspect the contents you download for malware.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: DNS over HTTPS

Wed Jun 10, 2020 11:45 am

Trail and error gave me the second certificate installed is the only needed one.
Name: cacert.pem_1
Issuer: OU=GlobalSign Root CA - R2,O=GlobalSign,CN=GlobalSign
 
User avatar
frank333
Member
Member
Posts: 328
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: DNS over HTTPS

Wed Jun 10, 2020 12:55 pm

I'm using the script and it works well, I've imported global certificates and tested several DoH servers but you always get an error as a response.
I set the scheduling every minute and had the results written on an external sacrificial MMC card, not to fry the tik flash.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: DNS over HTTPS

Wed Jun 10, 2020 1:03 pm

When mentioning frying the flash, I had in mind the basic 6.47 which some users reports to generate thousands of sector writes without an apparent reason, not writing the fetched file to a flash - on my SOHO devices, files are stored in RAM unless you explicitly place them to flash.

I don't understand what you mean by "works well" and "you always get an error" in the same sentence, can you elaborate?
 
Urajmal
just joined
Posts: 20
Joined: Thu Jul 26, 2018 6:23 pm

Re: DNS over HTTPS

Wed Jun 10, 2020 2:11 pm

For those who have DoH configured with CloudFlare, does first test ""Secure DNS" shows to you as a green?

https://www.cloudflare.com/ssl/encrypted-sni/

Thanks
 
User avatar
frank333
Member
Member
Posts: 328
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: DNS over HTTPS

Wed Jun 10, 2020 2:15 pm

I thought the result file was written on mikrotik's hdd, so I moved it to the external MMC.
Schermata del 2020-06-10 12.54.41.png
The script always populates the mikrotik DNS cache even when the DOH cloudflare fails.
For the query response errors I thought about this .
Schermata del 2020-06-10 13.00.40.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: DNS over HTTPS

Wed Jun 10, 2020 2:52 pm

For those who have DoH configured with CloudFlare, does first test ""Secure DNS" shows to you as a green?

https://www.cloudflare.com/ssl/encrypted-sni/

Thanks
Yes.
 
Urajmal
just joined
Posts: 20
Joined: Thu Jul 26, 2018 6:23 pm

Re: DNS over HTTPS

Wed Jun 10, 2020 3:26 pm

For those who have DoH configured with CloudFlare, does first test ""Secure DNS" shows to you as a green?

https://www.cloudflare.com/ssl/encrypted-sni/

Thanks
Yes.
Have problem with that, I followed the nromis manuals, and I am unable to get First test green. Any recommendations? What should I have in DNS - Static, what should I have DHCP Server - Networks - DNS Servers?
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: DNS over HTTPS

Wed Jun 10, 2020 3:49 pm

What should I have in DNS - Static
Nothing if you use https://1.1.1.1/dns-query as DoH Server.

Or /ip dns static add address=1.1.1.1 name=cloudflare-dns.com
if you use https://cloudflare-dns.com/dns-query

what should I have DHCP Server - Networks - DNS Servers?
Your router's IP

Also make sure, that you don't have any dynamic servers.
 
User avatar
frank333
Member
Member
Posts: 328
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: DNS over HTTPS

Wed Jun 10, 2020 4:02 pm

on linux to control the dns i do this, reboot the connection and control with nmcli device show myinterface | grep IP4
 
Urajmal
just joined
Posts: 20
Joined: Thu Jul 26, 2018 6:23 pm

Re: DNS over HTTPS

Thu Jun 11, 2020 12:15 am

What should I have in DNS - Static
Nothing if you use https://1.1.1.1/dns-query as DoH Server.

Or /ip dns static add address=1.1.1.1 name=cloudflare-dns.com
if you use https://cloudflare-dns.com/dns-query

what should I have DHCP Server - Networks - DNS Servers?
Your router's IP

Also make sure, that you don't have any dynamic servers.


Thanks! Have been tried all sorts of combinations. I am unable to get "Secure DNS" to green.
Will be following this thread to see if there are any with the same situation.

And will be try to configure on brand new RB4011.
 
Pea
Member Candidate
Member Candidate
Posts: 229
Joined: Fri Jul 17, 2015 11:07 pm
Location: Czech

Re: DNS over HTTPS

Thu Jun 11, 2020 12:34 am

Is your client really using your router as DNS?
 
hendra
Frequent Visitor
Frequent Visitor
Posts: 93
Joined: Wed Nov 22, 2017 2:21 am

Re: DNS over HTTPS

Thu Jun 11, 2020 3:22 am

can you ping the DoH server?
maybe this is the problem.
or maybe my router is to old :D lol
the cpu gets down when i disable the nat for transparent dns.
and what is the meaning of this warning logs ?
may/27 01:04:34 dns,warning DoH max concurrent queries reached, ignoring query 
dns,error DoH server connection error: remote disconnected while in HTTP exchange

any solution ?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: DNS over HTTPS

Thu Jun 11, 2020 8:13 am

For those who have DoH configured with CloudFlare, does first test ""Secure DNS" shows to you as a green?

https://www.cloudflare.com/ssl/encrypted-sni/

Thanks
Yes.

You need the certificate, check by type: /certificate print detail
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted 
 0       T name="DigiCertGlobalRootCA.crt.pem_0" issuer=C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert Global Root CA digest-algorithm=sha1 
           key-type=rsa country="US" organization="DigiCert Inc" unit="www.digicert.com" common-name="DigiCert Global Root CA" key-size=2048 
           subject-alt-name="" days-valid=9131 trusted=yes key-usage=digital-signature,key-cert-sign,crl-sign 
           serial-number="083BE056904246B1A1756AC95991C74A" fingerprint="4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161" 
           akid=03de503556d14cbb66f0a3e21b1bc397b23dd155 skid=03de503556d14cbb66f0a3e21b1bc397b23dd155 invalid-before=nov/10/2006 02:00:00 
           invalid-after=nov/10/2031 02:00:00 expires-after=595w3d18h49m37s 
Then set the DNS on your router to:
/ip dns set servers="" use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
DCHP should point DNS to your router. So on your PC ipconfig /all
DNS Servers . . . . . . . . . . . : 192.168.88.1
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: DNS over HTTPS

Thu Jun 11, 2020 8:54 pm

None of my Apple gear works when DoH is enabled .... All apple gear is wireless ..... all windows gear works with DoH.
I have not determined why the Apple Gear is not working with DoH .... will do that on another day ...
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: DNS over HTTPS

Thu Jun 11, 2020 10:51 pm

Maybe that apple use a fixed IP like Chrome cast use 8.8.8.8 and not the DNS it gets from the DHCP.
This can be fixed by redirect all request to port 53 to your DNS server. Then Chrome Cast and other stupid devices that does not follow normal regulation will still work.
 
User avatar
frank333
Member
Member
Posts: 328
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: DNS over HTTPS

Fri Jun 12, 2020 12:28 am

so ?
/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=53 protocol=tcp dst-port=53
add chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=53 protocol=udp dst-port=53 
put in front of all the rules ?
192.168.88.1 is ip of router mikrotik
 
hendra
Frequent Visitor
Frequent Visitor
Posts: 93
Joined: Wed Nov 22, 2017 2:21 am

Re: DNS over HTTPS

Fri Jun 12, 2020 10:56 pm

sometimes after a few hours i got this log " DoH server conncetion error iddle timeout" any clue for this ?
You do not have the required permissions to view the files attached to this post.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Fri Jun 12, 2020 11:17 pm

I don't know but have a look at the first posting in this thread.
 
Lebzul
Member Candidate
Member Candidate
Posts: 110
Joined: Wed Feb 21, 2018 12:54 am

Re: DNS over HTTPS

Sat Jun 13, 2020 4:18 pm

Is it normal to have lots of RAM consumption by using this?
 
hendra
Frequent Visitor
Frequent Visitor
Posts: 93
Joined: Wed Nov 22, 2017 2:21 am

Re: DNS over HTTPS

Sun Jun 14, 2020 4:20 am

any clue for this "DoH Server connection error : ssl handshake timeout" ?
 
slimprize
Member Candidate
Member Candidate
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: DNS over HTTPS

Sun Jun 14, 2020 8:40 am

Hi all,
Does anyone know the URL to download the certificate for opendns? I am getting dns resolution errors.
I tried
https://support.opendns.com/hc/en-us/ar ... evelopers-
No go though the certificate was imported successfully.
 
User avatar
frank333
Member
Member
Posts: 328
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: DNS over HTTPS

Sun Jun 14, 2020 9:40 am

slimprize.
that's what I do . in the PEM download section.
Schermata del 2020-06-14 08.31.14.png
You do not have the required permissions to view the files attached to this post.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Sun Jun 14, 2020 11:53 am

You click.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: DNS over HTTPS

Sun Jun 14, 2020 2:12 pm

Not sure why Mikrotik never implimeneted DoT and went for DoH. Routers are tools to implement and include to network designs. It makes absolutely no sense to pick DoH over DoT in routers. Leave DoH for the browsers :)
@BlackFate
Leave DoH for the browsers is 100% on the mark !
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: DNS over HTTPS

Sun Jun 14, 2020 2:19 pm

Maybe that apple use a fixed IP like Chrome cast use 8.8.8.8 and not the DNS it gets from the DHCP.
This can be fixed by redirect all request to port 53 to your DNS server. Then Chrome Cast and other stupid devices that does not follow normal regulation will still work.
@Jotne
All my Apple devices use DHCP and get their DNS from 'either' based on appropriateness. Safari just hangs. Chrome is fine.
I'll just forget DoH on the Router and use DoH enabled on the Chromium Browser -- works great.
 
slimprize
Member Candidate
Member Candidate
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: DNS over HTTPS

Sun Jun 14, 2020 5:20 pm

slimprize.
that's what I do . in the PEM download section.
Schermata del 2020-06-14 08.31.14.png
PL] frank333, your screen shot is not clear. Could you please describe the procedure from the commandline interface? Do all certificates need to be in pem format? I seemed to have imported the one correctly from opendns.

[pranav1@ConShield] /certificate> print
Flags: K - private-key, L - crl, C - smart-card-key, A - authority,
I - issued, R - revoked, E - expired, T - trusted
# NAME COM.. SUBJECT-ALT-NAME FIN..
0 T Cis.. Cis.. 203..

Pranav
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Mon Jun 15, 2020 8:21 am

Not sure why Mikrotik never implimeneted DoT and went for DoH. Routers are tools to implement and include to network designs. It makes absolutely no sense to pick DoH over DoT in routers. Leave DoH for the browsers :)
@BlackFate
Leave DoH for the browsers is 100% on the mark !
Not all internet traffic is from the browser. Not all devices have browsers.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Mon Jun 15, 2020 10:25 am

Not sure why Mikrotik never implimeneted DoT and went for DoH. Routers are tools to implement and include to network designs. It makes absolutely no sense to pick DoH over DoT in routers. Leave DoH for the browsers :)
@BlackFate
Leave DoH for the browsers is 100% on the mark !
Not all internet traffic is from the browser. Not all devices have browsers.
Then why is TCP port 443 used and not a specific port for this kind of traffic? DoT is using TCP/853 and can be blocked without having to bring long lists of addresses to block.

DoH is a aggressive way of resolving and not at home in network that is administered in a normal way. And should be used in situation where a normal network administration is not present.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Mon Jun 15, 2020 10:54 am

Exactly!
DoH can be used in countries where governments enforce filtering of news and such. This is why it's popular, I guess.
 
User avatar
frank333
Member
Member
Posts: 328
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: DNS over HTTPS

Mon Jun 15, 2020 11:08 am

In my opinion, doh is the first example of how much mikrotik cares about the safety of its users and other initiatives in this direction are welcome.
The only thing I can reproach are the problems I had using the firmware 6.47 and the lack of possibility to use other dns besides cloudflare.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Mon Jun 15, 2020 11:10 am

You can use any DoH service, not just Cloudflare. You can use Google or others. There is a list of public DoH servers you can use:
https://dnsprivacy.org/wiki/display/DP/ ... +Resolvers
 
User avatar
frank333
Member
Member
Posts: 328
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: DNS over HTTPS

Mon Jun 15, 2020 11:18 am

yes normis, I wanted to say this that I tried, but in addition to having problems with continuous writing on the nand with v6.47 I still can not enable the verification of certificates in addition to that of cloudflare, also can not yet enter a second doh server that acts as failover.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Mon Jun 15, 2020 11:47 am

Exactly!
DoH can be used in countries where governments enforce filtering of news and such. This is why it's popular, I guess.
Is Latvia such a country?

The popularity is due to indoctrination by the big firms wanting to follow you where ever you go. You always sent your IP address with your request.

The opposite of what want you to archieve is happening here. See it as the Facebook pixel or hidden script on all the sites for a long time. You told Facebook which sites you visited.

It belongs in browsers and not in routers or other network devices.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Mon Jun 15, 2020 11:58 am

Latvia is not such a country, but these requests come from such countries.
Don't mix other topics into this. One doesn't have to be a FB user to want DoH. People still want to read News, but some places deny this access. Such user can set up DoH in his home router and not worry about somebody intercepting DNS requests for browsing or any other internet traffic.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Mon Jun 15, 2020 1:56 pm

I did not mixed things, I compared to it.

"See it as the Facebook pixel...."
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Mon Jun 15, 2020 1:57 pm

There is no relation. You can set your router to forward all traffic to your OWN DNS over HTTPs server in another country.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Mon Jun 15, 2020 3:23 pm

Yes you can, but how many will do that!?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Mon Jun 15, 2020 3:25 pm

Look at the crazy amount of questions on this forum. DoH is really popular. A lot of regimes nowadays filter content. People started to use 8.8.8.8 as DNS, but that got blocked. So now people ask for DoH. This is what it's for basically.

I will not get political. We just make what users ask for (sometimes).
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: DNS over HTTPS

Mon Jun 15, 2020 4:40 pm

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""
Does this work for ipv6?
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: DNS over HTTPS

Mon Jun 15, 2020 4:44 pm

Does this work for ipv6?
You could try this address:

https://[2606:4700:4700::1111]/dns-query

But others reported it does not. Have not tried it myself.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Mon Jun 15, 2020 6:21 pm

Look at the crazy amount of questions on this forum. DoH is really popular. A lot of regimes nowadays filter content. People started to use 8.8.8.8 as DNS, but that got blocked. So now people ask for DoH. This is what it's for basically.

I will not get political. We just make what users ask for (sometimes).
And so it came full circle.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: DNS over HTTPS

Tue Jun 16, 2020 7:46 am

sometimes after a few hours i got this log " DoH server conncetion error iddle timeout" any clue for this ?
Same issue, I usually just ignore it as DNS seems to work fine.
 
shunkica
newbie
Posts: 48
Joined: Sat Mar 03, 2018 2:19 pm

Re: DNS over HTTPS

Wed Jun 17, 2020 9:56 am

DoH is not only for countries with content filtering...
All governments do surveillance on their citizens, and your ISP could be selling your data as well.
And when it comes to it, I would rather Cloudflare have my data than my shitty government/ISP.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: DNS over HTTPS

Wed Jun 17, 2020 10:05 am

And when it comes to it, I would rather Cloudflare have my data than my shitty government/ISP.
Maybe that the people here that do no like DoH DoT are ISP them self ;)
 
User avatar
inteq
Member
Member
Posts: 402
Joined: Wed Feb 25, 2015 8:15 pm
Location: Romania

Re: DNS over HTTPS

Wed Jun 17, 2020 10:14 am

In my opinion, doh is the first example of how much mikrotik cares about the safety of its users and other initiatives in this direction are welcome.
Don't be fooled into thinking DoH provides any "safety" for users.
I mean don't do stupid stuff online just because you have DoH enabled then act surprised when caught.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Wed Jun 17, 2020 10:23 am

DoH just moves your concerns from the ISP/Government to the DoH service provider. It all just depends on who you trust more.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Wed Jun 17, 2020 10:51 am

And when it comes to it, I would rather Cloudflare have my data than my shitty government/ISP.
Maybe that the people here that do no like DoH DoT are ISP them self ;)
Why should DoT be wrong? As an ISP or as concerned parents of a family you can enforce not using DoT.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Wed Jun 17, 2020 11:01 am

I just hope you can try and see the other side of the coin. It was discussed enough times above. There are many reasons not to trust the ISP.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: DNS over HTTPS

Wed Jun 17, 2020 11:02 am

DoH just moves your concerns from the ISP/Government to the DoH service provider. It all just depends on who you trust more.
Its a huge difference. I can choose between someone I know and some I do not know. How many can see my DNS request, I do not now, but with DoH I have some clue.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Wed Jun 17, 2020 11:06 am

Like I already said, you can set up your own DOH server in a trusted country with a trusted ISP and then configure DOH client in the country where you don't feel safe.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Wed Jun 17, 2020 12:06 pm

I just hope you can try and see the other side of the coin. It was discussed enough times above. There are many reasons not to trust the ISP.
There are also many reasons to not trust anyone with your private data.

That is why I do it myself and ask the authorative directly. The Dutch government does not like it when you do that through a VPN provider. I have to use the DoT server of my ISP for those specific domains.
 
slimprize
Member Candidate
Member Candidate
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: DNS over HTTPS

Wed Jun 17, 2020 4:13 pm

Hi all,

Has anyone gotten opendns's doh server to work?

As I said above I tried but was getting resolution errors despite importing the certificate.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS over HTTPS

Wed Jun 17, 2020 5:10 pm

Sure. Quick and simple (and unsecure *) way:
/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
/certificate import file-name=DigiCertGlobalRootCA.crt.pem
/ip dns set use-doh-server=https://doh.opendns.com/dns-query verify-doh-cert=yes
(*) The problem is that fetch does not verify certificate, and even though there is an option for it, it won't work when there's no root certificate on router. Chicken and egg problem. So better download the file using browser and upload it to router.
 
slimprize
Member Candidate
Member Candidate
Posts: 108
Joined: Thu Aug 09, 2012 2:43 am

Re: DNS over HTTPS

Thu Jun 18, 2020 4:40 am

@Sob,
Many many thanks. I have DNS over https working. Website lookups are slow so I am not sure if I will keep this configuration. I want to though so lets see.

Pranav
 
User avatar
frank333
Member
Member
Posts: 328
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: DNS over HTTPS

Thu Jun 18, 2020 11:13 am

slimprice,
cloudflare has the fastest dns, then there is google, and all the other .Open dns here at my place is very slow.
 
kd2pm2
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Wed Nov 14, 2012 7:14 am
Location: New Jersey, USA

Re: DNS over HTTPS

Fri Jun 19, 2020 5:35 pm

Anyone else getting this? Seems that if its time to get an updated cert file...it cant. Its a chicken/egg scenario where it cant get the info to do the fetch to update the cert. Easy fix is to just add in another dns entry like 1.1.1.1 and immediately DNS query works, it grabs does the fetch and then all is good. I can take out the 1.1.1.1 until once again it gets caught in the loop trying to query but it cant...


dns error.jpg
You do not have the required permissions to view the files attached to this post.
 
hendra
Frequent Visitor
Frequent Visitor
Posts: 93
Joined: Wed Nov 22, 2017 2:21 am

Re: DNS over HTTPS

Fri Jun 19, 2020 5:38 pm

Anyone else getting this? Seems that if its time to get an updated cert file...it cant. Its a chicken/egg scenario where it cant get the info to do the fetch to update the cert. Easy fix is to just add in another dns entry like 1.1.1.1 and immediately DNS query works, it grabs does the fetch and then all is good. I can take out the 1.1.1.1 until once again it gets caught in the loop trying to query but it cant...



dns error.jpg
how to solve this ?
 
User avatar
frank333
Member
Member
Posts: 328
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: DNS over HTTPS

Fri Jun 19, 2020 6:06 pm

try to follow this holy man's guidance,
https://jcutrer.com/howto/networking/mi ... over-https
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Fri Jun 19, 2020 8:08 pm

In the Holy book you see, Normis, only Google and Cloudflace is being mentioned.

As I predicted.
 
kd2pm2
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Wed Nov 14, 2012 7:14 am
Location: New Jersey, USA

Re: DNS over HTTPS

Fri Jun 19, 2020 8:11 pm

try to follow this holy man's guidance,
https://jcutrer.com/howto/networking/mi ... over-https
Seems pretty close to what I have already done. I may have to go back to plan "B" and make the URL 1.1.1.1 instead of cloudflare-dns.com
 
kd2pm2
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Wed Nov 14, 2012 7:14 am
Location: New Jersey, USA

Re: DNS over HTTPS

Fri Jun 19, 2020 10:12 pm

So here is my current DNS config. When I reboot the RB2011 it goes into infinity with handshake failures. Its trying to validate the CRL's but yet, it should already have it in certificates memory as being valid. I suspect that the certificates setting needs to be changed to perhaps not download the CRL or even use the CRL? Also not sure if the CRL store should be RAM or System. In order to fix the problem I did have to add DNS server 1.1.1.1 to my settings .

From what I can tell, a reboot invalidates the CRL's and the router needs to go back out and validate all of them. If you do a /system certificates and you check the CRL tab, all of those CRL's are red. So you are stuck until validation takes place and they go black on the screen and then the DNS server will start caching entries.

So I am kinda lost here as to how it really should be set up so that a reboot does not force me to log in manually to add a DNS entry of 1.1.1.1 just to download/validate what I have in my router all the time.
 /ip dns print
                      servers: 
              dynamic-servers: 
               use-doh-server: https://1.1.1.2/dns-query
              verify-doh-cert: yes
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 500
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 3d
                   cache-used: 30KiB
dns_error_2.jpg
Above shows the errors immediately after the RB2011 reboot

dns_error_3.jpg
Above shows the updates to the files once I add DNS 1.1.1.1 as a server.
You do not have the required permissions to view the files attached to this post.
 
Pea
Member Candidate
Member Candidate
Posts: 229
Joined: Fri Jul 17, 2015 11:07 pm
Location: Czech

Re: DNS over HTTPS

Fri Jun 19, 2020 10:35 pm

remove all those certificates and use just this one:
/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=””
 
kd2pm2
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Wed Nov 14, 2012 7:14 am
Location: New Jersey, USA

Re: DNS over HTTPS

Fri Jun 19, 2020 10:49 pm

remove all those certificates and use just this one:
/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=””
I did and there is no CRL and I am still logging the same DNS error

DoH server connection error: SSL: handshake failed: unable to get certificate CRL (6)
 
kd2pm2
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Wed Nov 14, 2012 7:14 am
Location: New Jersey, USA

Re: DNS over HTTPS

Fri Jun 19, 2020 10:51 pm

I believe I have to go back and get the PEM file for Cloudflare-DNS and load that back in as well...I believe one cant work without the other
 
kd2pm2
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Wed Nov 14, 2012 7:14 am
Location: New Jersey, USA

Re: DNS over HTTPS

Fri Jun 19, 2020 11:10 pm

I believe I have to go back and get the PEM file for Cloudflare-DNS and load that back in as well...I believe one cant work without the other
So its definitely an issue on a reboot that if you dont have a standard DNS server like 1.1.1.1 assigned as well as the DOH server....the DOH cannot and will not allow itself to validate the CRL's and thus it has to use the 1.1.1.1 to get those downloaded and then the DOH appears to be happy.

It also appears to me that you do need the cloudflare-dns.com and DigiCert Global Root CA certs for things to behave...if not, it continues to log DOH server errors.
 
User avatar
floaty
Member
Member
Posts: 314
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: DNS over HTTPS

Sat Jun 20, 2020 12:45 am

.
I think it's not possible to use google DoH without DNS name in url. Or do you have a working one with ip address?
.
same experience here:
using the avail v4 adresses gives warnings (maybe a google by-the-side-sausage ??)
... seems there's loadbalancing inbetween, which is fetching "dns.google" [or any of the alternate names ... because the pure ip servers do NOT]
.
question: what would be issue with local static translation ?
.
## update ##... dns64.dns.google is not working ... guess thats for v6
.
[admin@tikki] > ping www.cisco.com
invalid value for argument address:
    invalid value of mac-address, mac address required
    invalid value for argument ipv6-address
    while resolving ip-address: could not get answer from dns server
                                                                      (1 messages discarded)
23:29:09 echo: dns,warning <html lang=en>
23:29:09 echo: dns,warning   <meta charset=utf-8>
23:29:09 echo: dns,warning   <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
23:29:09 echo: dns,warning   <title>Error 404 (Not Found)!!1</title>
23:29:09 echo: dns,warning   <style>
23:29:09 echo: dns,warning     *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:
180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-
decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/g
ooglelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/go
oglelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:u
23:29:09 echo: dns,warning rl(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:ur
l(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
23:29:09 echo: dns,warning   </style>
23:29:09 echo: dns,warning   <a href=//www.google.com/><span id=logo aria-label=Google></span></a>
23:29:09 echo: dns,warning   <p><b>404.</b> <ins>That\E2\80\99s an error.</ins>
23:29:09 echo: dns,warning   <p>The requested URL <code>/dns-query</code> was not found on this server.  <ins>That\E2\80\99s all we know.</ins>
23:29:09 echo: dns,warning
[admin@tikki] > 
.
ggl.PNG
You do not have the required permissions to view the files attached to this post.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Sat Jun 20, 2020 3:13 am

dns64.dns.google can't be resolved to a IP address:
;; AUTHORITY SECTION:
dns.google.             48      IN      SOA     ns1.zdns.google. dns-admin.google.com. 2684358593 21600 3600 1209600 300
 
User avatar
floaty
Member
Member
Posts: 314
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: DNS over HTTPS

Sat Jun 20, 2020 12:35 pm

.
not v4 ... right
.
foo@pike:~# dig -x 2001:4860:4860::64

; <<>> DiG 9.10.3-P4-Debian <<>> -x 2001:4860:4860::64
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35978
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;4.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.8.4.0.6.8.4.1.0.0.2.ip6.arpa. IN PTR

;; ANSWER SECTION:
4.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.8.4.0.6.8.4.1.0.0.2.ip6.arpa. 21598 IN PTR dns64.dns.google.

;; Query time: 43 msec
;; SERVER: 192.168.100.10#53(192.168.100.10)
;; WHEN: Sat Jun 20 11:32:24 CEST 2020
;; MSG SIZE  rcvd: 131

foo@pike:~# 
 
Flextro
just joined
Posts: 1
Joined: Wed May 02, 2018 3:31 pm

Re: DNS over HTTPS

Sun Jun 21, 2020 12:27 pm

I'm using DoH with 1.1.1.1 server and RB3011 with ROS 6.47 about a week.
Since this morning i have problem with 1.1.1.1:
I got only "12:15:40 dns,error DoH server connection error: SSL: internal error (6)" message. I try'd 9.9.9.9 and it's works fine (still)
Don't know: this is issue with my ISP, CF or Mikrotik
 
capy2008
just joined
Posts: 3
Joined: Sun Jun 21, 2020 8:14 pm

Re: DNS over HTTPS

Sun Jun 21, 2020 8:16 pm

I get this error. Anybody have any idea how I fix it?
/tool fetch url="https://curl.haxx.se/ca/cacert.pem"
failure: unable to resolve hostname

I fix it but i unable to make doh work. I still see isp dns in torch.
Last edited by capy2008 on Sun Jun 21, 2020 9:09 pm, edited 2 times in total.
 
User avatar
MEJAKUmputer
just joined
Posts: 2
Joined: Wed Jul 15, 2020 2:18 pm
Location: Indonesia

Re: DNS over HTTPS

Wed Jul 15, 2020 2:33 pm

My DoH setting
/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
/certificate import file-name=cacert.pem passphrase=””
/ip dns set servers=""
/ip dns set use-doh-server=https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes

/ip firewall filter
add action=accept chain=input src-port=443 protocol=tcp src-address-list=Cloudflare-DNS
add action=accept chain=input dst-port=53 in-interface=!ether1-wan protocol=udp
add action=drop chain=input

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=53 in-interface=ether2-lan protocol=tcp to-addresses=192.168.68.1 to-ports=53
I added 2 static DNS entries for family.cloudflare-dns.com to address: 104.18.209.237 and 104.18.210.237.
Also added 104.18.209.237 and 104.18.210.237 to address list named Cloudflare-DNS
And 192.168.68.1 is gateway for Ether 2

Everything works well, but did i miss something in my settings? I need your opinion.
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: DNS over HTTPS

Thu Jul 16, 2020 4:26 pm

What ports does RouterOS use for DoH?

Stricly TCP 443 only?

Seems in some cases port 53, 853 is used: https://en.wikipedia.org/wiki/DNS_over_ ... _scenarios
 
proximus
Member Candidate
Member Candidate
Posts: 119
Joined: Tue Oct 04, 2011 1:46 pm

Re: DNS over HTTPS

Fri Jul 17, 2020 12:26 am

I added 2 static DNS entries for family.cloudflare-dns.com to address: 104.18.209.237 and 104.18.210.237.
You would probably be better off using the Anycast addresses 1.1.1.3 and 1.0.0.3. That way, if CF ever changes those specific servers, you won't be out of service.

I use the 1.1.1.2 / 1.0.0.2 security.cloudflare-dns.com static DNS entries and it is fine.
 
User avatar
MEJAKUmputer
just joined
Posts: 2
Joined: Wed Jul 15, 2020 2:18 pm
Location: Indonesia

Re: DNS over HTTPS

Tue Jul 21, 2020 1:59 pm

I added 2 static DNS entries for family.cloudflare-dns.com to address: 104.18.209.237 and 104.18.210.237.
You would probably be better off using the Anycast addresses 1.1.1.3 and 1.0.0.3. That way, if CF ever changes those specific servers, you won't be out of service.

I use the 1.1.1.2 / 1.0.0.2 security.cloudflare-dns.com static DNS entries and it is fine.
What if i just add 1.1.1.3 and 1.0.0.3 as family.cloudflare-dns.com static DNS entries, so i have four static DNS entries for family.cloudflare-dns.com (104.18.209.237, 104.18.210.237, 1.1.1.3, 1.0.0.3)? It's fine?
 
Guscht
Member Candidate
Member Candidate
Posts: 236
Joined: Thu Jul 01, 2010 5:32 pm

Re: DNS over HTTPS

Tue Jul 21, 2020 11:57 pm

What ports does RouterOS use for DoH?

Stricly TCP 443 only?

Seems in some cases port 53, 853 is used: https://en.wikipedia.org/wiki/DNS_over_ ... _scenarios
I think you missunderstand the concept. In your LAN, the clients query your edge router as DNS-resolver unencrypted via port 53.
The outgoing DNS query from your router to the public DoH-DNS server is encrypted and sent via port 443.
The public DoH-DNS resolves the query itself unencrypted via port 53 (or via TLS over port 853).

This means DoH is no real end-to-end encryption. But it is a security benefit over all.
So yes, the DoH part uses strictly port 443.
 
arrazib
just joined
Posts: 2
Joined: Mon Jun 22, 2020 11:50 pm

Re: DNS over HTTPS

Thu Jul 30, 2020 9:23 pm

Dear Concern,
I have successfully configured the system. It is showing me Verify that DoH is enabled and working. When I am torching WAN interface it is not showing me 1.1.1.1:443(http) rather showing me 1.1.1.1:53(dns). I dont know why it is happening. Is it any config error? Please let me know what to do if I want to solve the issue.
 
arrazib
just joined
Posts: 2
Joined: Mon Jun 22, 2020 11:50 pm

Re: DNS over HTTPS

Fri Jul 31, 2020 12:02 pm

I have successfully configured the system. It is showing me Verify that DoH is enabled and working. When I am torching WAN interface it is not showing me 1.1.1.1:443(http) rather showing me 1.1.1.1:53(dns). I dont know why it is happening. Is it any config error? Please let me know what to do if I want to solve the issue.
 
vishvas
just joined
Posts: 3
Joined: Thu Oct 28, 2010 2:29 pm

Re: DNS over HTTPS

Tue Aug 11, 2020 7:54 pm

Dear All
has anybody tested IPV6 DNS over HTTPS?
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: DNS over HTTPS

Sun Aug 16, 2020 3:04 pm

@normis

ROS keeps trying to use WAN1 for DoH even though WAN1 is down/disabled and WAN2 is active and reachable. Normal DNS works fine, only DoH keeps trying WAN1 even if the interface itself is manually disabled.

Steps to reproduce the bug
1. ISP 1 with Route distance 1
2. ISP 2 with Route distance 2
3. Disable ISP 1 or turn off the uplink device to simulate an unreachable state
4. Check the log and you'll see DoH refuses to use ISP 2 no matter what

Image
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: DNS over HTTPS

Sun Aug 16, 2020 3:05 pm

Dear All
has anybody tested IPV6 DNS over HTTPS?
It seems to be working already as per the connection tracking in the firewall on IPv6, I can see DoH traffic to Cloudflare initiated by the client devices using advertised DNS from RouterOS.
 
fsgrbv
just joined
Posts: 2
Joined: Wed Nov 14, 2018 11:47 am

Re: DNS over HTTPS

Sun Aug 16, 2020 9:56 pm

Dear All
has anybody tested IPV6 DNS over HTTPS?

Yes. I've tested with:
/ip dns set use-doh-server=https://dns64.cloudflare-dns.com/dns-query verify-doh-cert=yes
Unfortunately, It does not work.


Even though ipv6 works OK.
[admin@MikroTik] > put [resolve dns64.cloudflare-dns.com]
2606:4700:4700::64
[admin@MikroTik] > ping 2606:4700:4700::64      
  SEQ HOST                                     SIZE TTL TIME  STATUS                                         
    0 2606:4700:4700::64                         56  61 24ms  echo reply                                     
    1 2606:4700:4700::64                         56  61 24ms  echo reply                                     
    2 2606:4700:4700::64                         56  61 23ms  echo reply                                     
    sent=3 received=3 packet-loss=0% min-rtt=23ms avg-rtt=23ms max-rtt=24ms 

IPv4 DoH (
/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
) works OK too.
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: DNS over HTTPS

Mon Aug 17, 2020 10:56 pm

Dear All
has anybody tested IPV6 DNS over HTTPS?

Yes. I've tested with:
/ip dns set use-doh-server=https://dns64.cloudflare-dns.com/dns-query verify-doh-cert=yes
Unfortunately, It does not work.


Even though ipv6 works OK.
[admin@MikroTik] > put [resolve dns64.cloudflare-dns.com]
2606:4700:4700::64
[admin@MikroTik] > ping 2606:4700:4700::64      
  SEQ HOST                                     SIZE TTL TIME  STATUS                                         
    0 2606:4700:4700::64                         56  61 24ms  echo reply                                     
    1 2606:4700:4700::64                         56  61 24ms  echo reply                                     
    2 2606:4700:4700::64                         56  61 23ms  echo reply                                     
    sent=3 received=3 packet-loss=0% min-rtt=23ms avg-rtt=23ms max-rtt=24ms 

IPv4 DoH (
/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
) works OK too.
dns64.cloudflare-dns.com is for NAT64 networks. In most cases ISPs give native IPv6 with CGNATted IPv4 or public IPv4.

https://cloudflare-dns.com/dns-query would be the correct one to use, it works for both IPv4 and native IPv6.
 
User avatar
Tubeorange667
just joined
Posts: 15
Joined: Sat Jul 11, 2020 3:47 pm
Location: Kochi, Kerala

Re: DNS over HTTPS

Tue Aug 18, 2020 10:13 am

I got everything working with nextdns. Here is what i did.
make sure you change <id> for your config id): for Example if your id is "99b212" you can give .... /ip dns set use-doh-server=https://dns.nextdns.io/99b212 verify-doh-cert=yes
if you want to display the device name just add it in the last after putting "/" like this ... /ip dns set use-doh-server=https://dns.nextdns.io/99b212/mikrotik


tool fetch url=https://curl.haxx.se/ca/cacert.pem
/certificate import file-name=cacert.pem passphrase=""
/ip dns set servers=
/ip dns static add name=dns.nextdns.io address=45.90.28.0 type=A
/ip dns static add name=dns.nextdns.io address=45.90.30.0 type=A
/ip dns static add name=dns.nextdns.io address=2a07:a8c0:: type=AAAA
/ip dns static add name=dns.nextdns.io address=2a07:a8c1:: type=AAAA
/ip dns set use-doh-server=“https://dns.nextdns.io/<id>” verify-doh-cert=yes
Untitled-1.jpg
You do not have the required permissions to view the files attached to this post.
 
Pea
Member Candidate
Member Candidate
Posts: 229
Joined: Fri Jul 17, 2015 11:07 pm
Location: Czech

Re: DNS over HTTPS

Tue Aug 18, 2020 10:38 am

Why do you import all 138 CA certificates? Isn't it better do import only the one needed?
 
User avatar
Tubeorange667
just joined
Posts: 15
Joined: Sat Jul 11, 2020 3:47 pm
Location: Kochi, Kerala

Re: DNS over HTTPS

Tue Aug 18, 2020 11:00 am

Why do you import all 138 CA certificates? Isn't it better do import only the one needed?
I did not find anything specific in the certificate list which points to "nextdns". so i imported all. How can i find the one which is used by nextdns?
 
Pea
Member Candidate
Member Candidate
Posts: 229
Joined: Fri Jul 17, 2015 11:07 pm
Location: Czech

Re: DNS over HTTPS

Tue Aug 18, 2020 11:04 am

Just try with this one:
You do not have the required permissions to view the files attached to this post.
 
User avatar
Tubeorange667
just joined
Posts: 15
Joined: Sat Jul 11, 2020 3:47 pm
Location: Kochi, Kerala

Re: DNS over HTTPS

Tue Aug 18, 2020 12:07 pm

I am not finding anything like that in the certificates list. I tried to remove everything except the name 'digicert". But thats not working. it does not starts with this name. its something else.
 
nrgch
just joined
Posts: 1
Joined: Mon Sep 21, 2020 9:14 pm

Re: DNS over HTTPS

Mon Sep 21, 2020 9:53 pm

Is it possible, that i'm getting "DoH server connection error: Idle timeout - waiting data" because i'm using two different ISPs at the same time on one PC with two ethernet adapters and two different routers and they don't know anything about each other?
2nd router is not Mikrotik and it's not logging any problems about DoH.
Other than that log message i'm not having any problems with internet connectivity, whether it is any router separately or both at the same time. Both are configured properly for using DoH.
I'm just curious about that log message, nothing more. Everything's working just fine.
Thanks.
 
IYARINDRA
just joined
Posts: 21
Joined: Fri Apr 07, 2017 6:13 pm

Re: DNS over HTTPS

Mon Oct 12, 2020 11:20 am

Any guide for Google DoH settings ?
### Google DoH
/ip dns set servers=8.8.8.8,8.8.4.4
/system ntp client set enabled=yes primary-ntp=time.google.com
/tool fetch url=https://pki.goog/roots.pem
/certificate import file-name=roots.pem passphrase=""
/ip dns set use-doh-server=https://dns.google/dns-query verify-doh-cert=yes
/ip dns set allow-remote-requests=yes cache-max-ttl=1d use-doh-server=https://dns.google/dns-query verify-doh-cert=yes
/ip dns static
add address=8.8.8.8 name=dns.google
add address=8.8.4.4 name=dns.google
/ip dns set servers=""

### Script for certfificates update
/system script add dont-require-permissions=no name=Certificate_Google policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/tool fetch url=https://pki.goog/roots.pem\r\n/certificate import file-name=roots.pem passphrase=\"\""

### Script for DNS cache flush
/system script add dont-require-permissions=no name=DNS_Flush_Cache policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/ip dns cache flush"

### Schedule to update google certificate once a week 
/system scheduler add comment="Google Certificate Update" interval=1w name=Certificate_Google_Update on-event=Certificate_Google policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/06/2019 start-time=05:20:00

### Schedule to flush dns cache everyday
/system scheduler add comment="DoH Cache Flush" interval=1d name="DNS Cache Flush" on-event=DNS_Flush_Cache policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/06/2019 start-time=05:30:00
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: DNS over HTTPS

Mon Oct 12, 2020 4:32 pm

I ditched ROS DoH completely and replaced it with Cloudflared binary + Pi-Hole now DoH works 100% of the time with zero errors. Zero problems whatsoever.

DoH on ROS was and still is broken.
 
hendra
Frequent Visitor
Frequent Visitor
Posts: 93
Joined: Wed Nov 22, 2017 2:21 am

Re: DNS over HTTPS

Sun Oct 18, 2020 10:36 am

I ditched ROS DoH completely and replaced it with Cloudflared binary + Pi-Hole now DoH works 100% of the time with zero errors. Zero problems whatsoever.

DoH on ROS was and still is broken.
can u tell me the step to do this?
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: DNS over HTTPS

Sun Oct 18, 2020 12:45 pm

I ditched ROS DoH completely and replaced it with Cloudflared binary + Pi-Hole now DoH works 100% of the time with zero errors. Zero problems whatsoever.

DoH on ROS was and still is broken.
can u tell me the step to do this?
https://docs.pi-hole.net/main/prerequisites/

https://docs.pi-hole.net/guides/dns-over-https/
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS over HTTPS

Sun Oct 18, 2020 5:34 pm

Hi Darknate,
I am interested in how you added the pi-hole to the MT Router for this functionality.
Is it on its own subnet for example.
How do you point users to pi-hole.
How do you point pi-hole to the external servers you wish to use
What firewall rules are germane to the setup for the pihole and users
What DNS rules are germane to the setup for the pihole and users.

In other words, configuring the pi-hole may be the easy part.
I tried using pi-hole once, and the family got upset real fast when it worked in broken fashion or not at all and I couldnt afford to play at it anylonger.
So looking for the config snippets for all pi-hole related entries, and a schematic to show the concept of how it fits into the network
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: DNS over HTTPS

Sun Oct 18, 2020 10:05 pm

Hi Darknate,
I am interested in how you added the pi-hole to the MT Router for this functionality.
Is it on its own subnet for example.
How do you point users to pi-hole.
How do you point pi-hole to the external servers you wish to use
What firewall rules are germane to the setup for the pihole and users
What DNS rules are germane to the setup for the pihole and users.

In other words, configuring the pi-hole may be the easy part.
I tried using pi-hole once, and the family got upset real fast when it worked in broken fashion or not at all and I couldnt afford to play at it anylonger.
So looking for the config snippets for all pi-hole related entries, and a schematic to show the concept of how it fits into the network
I give the Pi a static IP via IP>DHCP>Leases.
Inside IP>DHCP>Networks, simply insert said static IP into the DNS field for that particular DHCP server/network. Clients will automatically grab it.

You don't need to manually IPv6 Link-local. LAN devices will send and receive AAAA just fine over the IPv4 local subnet via Pi-Hole. As long as the Pi-Hole has proper IPv6 config straight from SLAAC/RADVD from the Tik and can reach external IPv6 servers.
The end.

The rest is in the official Pi-Hole config. As stated, I use cloudflared binary+Pi-Hole which I already linked above.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS over HTTPS

Mon Oct 19, 2020 1:13 am

So if I put the pi-hole on its own VLAN
give it a fixed IP.
I then put that IP address for each of my vlan dhcp-server-network entries?
Do I need firewall rules to allow the pi-hole anything specific on teh input chain?
Do I need firewall rules to allow users from all other vlans to the pi-hole vlan in the forward chain?
If pi-hole isnt working then how will the user then get service (simply put in a second DNS entry there of 1.1.1.1 ) for example assuming order is important and works.
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: DNS over HTTPS

Mon Oct 19, 2020 1:51 am

So if I put the pi-hole on its own VLAN
give it a fixed IP.
I then put that IP address for each of my vlan dhcp-server-network entries?
Do I need firewall rules to allow the pi-hole anything specific on teh input chain?
Do I need firewall rules to allow users from all other vlans to the pi-hole vlan in the forward chain?
If pi-hole isnt working then how will the user then get service (simply put in a second DNS entry there of 1.1.1.1 ) for example assuming order is important and works.
I haven't used VLANs, can't help you there.
Default firewall rules are enough for bridge config. The order makes no difference from my testing, not on MikroTik at least in regards to DNS IPs inside the DHCP server. The point is to ensure Pi-Hole is stable for 24/7 use.
 
User avatar
maxslug
newbie
Posts: 25
Joined: Sun Aug 30, 2020 7:07 am

Re: DNS over HTTPS

Sun Nov 15, 2020 11:31 pm

Thanks IYARINDRA, I switched over to Google's DOH server and used your scripts.
 
patrickmkt
Member Candidate
Member Candidate
Posts: 200
Joined: Sat Jul 28, 2012 5:21 pm

Re: DNS over HTTPS

Wed Nov 18, 2020 9:36 pm

Has someone figure out how to get proper CRL download while using DoH?

I am still having the "DoH sever connection error: SSL: handshake failed: unable to get certificate CRL"
 
storrgie
just joined
Posts: 7
Joined: Mon Aug 10, 2020 12:34 am

Re: DNS over HTTPS

Fri Dec 04, 2020 2:29 am

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""
Are you aware of a way to do this that doesn't import over 100 certificates?

Sorry, rephrase, I don't think that in 7b1,7b2,7b3 that this has worked. With all of these certificates, verification won't work.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS over HTTPS

Fri Dec 04, 2020 2:53 am

Are you aware of a way to do this that doesn't import over 100 certificates?
This one is enough: https://cacerts.digicert.com/DigiCertGl ... CA.crt.pem

Edit: It doesn't work for me with v7 either (v6 works fine).
 
storrgie
just joined
Posts: 7
Joined: Mon Aug 10, 2020 12:34 am

Re: DNS over HTTPS

Fri Dec 04, 2020 4:10 pm

Edit: It doesn't work for me with v7 either (v6 works fine).
Right, wanted Normis to see this.
 
silencio
just joined
Posts: 8
Joined: Fri Dec 20, 2019 4:12 pm

Re: DNS over HTTPS

Thu Dec 17, 2020 1:43 pm

any tutorial for cleanbrowsing? I tried all the scripts and none of them worked for me. I have no way to enable DoH.

Thank you very much in advance. Best regards.
 
bitomaxsp
just joined
Posts: 2
Joined: Thu Aug 15, 2019 1:53 pm

Re: DNS over HTTPS

Fri Jan 22, 2021 1:46 pm

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""
These steps are correct. But i had and issue where i had Use Peer DNS and Use Peer NTP set. Please check that those are unchecked. Otherwise router will use peer (provider in my case) DNS and NTP (this influence certificate check)
 
User avatar
jr0dd
just joined
Posts: 14
Joined: Fri Feb 10, 2017 4:46 am

Re: DNS over HTTPS

Sat Feb 13, 2021 8:59 pm

I'm constantly getting my logs flooded with max concurrent queries. I have increased max-concurrent-queries and max-concurrent-tcp-sessions, but still get the errors. Any suggestions would be greatly appreciated.

log
10:47:56 dns,warning DoH max concurrent queries reached, ignoring query

dns settings
[admin@RB3011UiAS] > ip dns print
                      servers: 
              dynamic-servers: 
               use-doh-server: https://1.1.1.1/dns-query
              verify-doh-cert: yes
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 250
  max-concurrent-tcp-sessions: 100
                   cache-size: 2048KiB
                cache-max-ttl: 1w
                   cache-used: 460KiB
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Sat Feb 13, 2021 9:17 pm

Decrease maximum concurrent queries. It limits, so TCP can keep up.
 
Note
Frequent Visitor
Frequent Visitor
Posts: 78
Joined: Fri Jun 03, 2016 12:39 pm

Re: DNS over HTTPS

Tue Feb 16, 2021 3:17 pm

Im still looking for a fix, for.............."doh server connection error network is unreachable" issue.

Any news? Im on 6.47.8 stable.
 
Note
Frequent Visitor
Frequent Visitor
Posts: 78
Joined: Fri Jun 03, 2016 12:39 pm

Re: DNS over HTTPS

Wed Feb 24, 2021 10:11 am

I did a workaround that works great the last few days with 0 disconnections. I do not know if it is a coincidence, thats why i share my configuration, so u can all test it. The changes are that i changed the queries to 200, the sessions to 50 and i set the name to regexp in static dns entry.
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d max-concurrent-queries=200
max-concurrent-tcp-sessions=50 servers=1.1.1.1,1.0.0.1
use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 regexp=cloudflare-dns
add address=104.16.249.249 regexp=cloudflare-dns
Check here after..................... https://1.1.1.1/help
 
AlexanderWhite
just joined
Posts: 1
Joined: Wed May 12, 2021 6:09 pm

Re: DNS over HTTPS

Wed May 12, 2021 6:19 pm

Hey there,
I've tried to figure out what shall I do to make mikrotik work with DoH OpenDNS service.
They say we shall use next two IP addresses as DoH servers - 208.67.222.222 and 208.67.220.220
But, if we check their certificate with
echo | openssl s_client -showcerts -servername doh.familyshield.opendns.com -connect doh.opendns.com:443 2>/dev/null | openssl x509 -inform pem -noout -text
we'll see the next alternative names:
X509v3 Subject Alternative Name:
DNS:doh.opendns.com, IP Address:146.112.41.2, IP Address:2620:119:FC:0:0:0:0:2, DNS:doh.familyshield.opendns.com, IP Address:146.112.41.3, IP Address:2620:119:FC:0:0:0:0:3, DNS:doh.sandbox.opendns.com, IP Address:146.112.41.4, IP Address:2620:119:FC:0:0:0:0:4, DNS:doh.umbrella.com, IP Address:146.112.41.5, IP Address:2620:119:FC:0:0:0:0:5

So, I supposed that the problem with "DoH server connection error: SSL internel error" come from the fact that they haven't added their addresses (208.67.222.222 and 208.67.220.220) to the certificate. And when I configured my mikrotik to use the next url - https://146.112.41.2/dns-query
everything started to work.

Am I right or I am right ? :)
 
User avatar
Ishtiaque
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Sat Jul 30, 2016 5:17 pm
Location: Bangladesh
Contact:

Re: DNS over HTTPS

Tue Jun 29, 2021 1:34 am

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""
Certificate Import not supporting ..........
cannot find host name ............
its error all over :D
 
ccnnorthcali
just joined
Posts: 2
Joined: Thu Apr 23, 2020 9:16 pm

Re: DNS over HTTPS

Wed Jul 14, 2021 10:24 pm

Certificate Import not supporting ..........
cannot find host name ............
its error all over :D
use /tool fetch url=https://curl.se/ca/cacert.pem and it should work
 
User avatar
swa69er
just joined
Posts: 19
Joined: Sat Jan 02, 2021 11:54 am

Re: DNS over HTTPS

Sat Sep 18, 2021 6:09 pm

what is the difference between
1 certificate
https://cacerts.digicert.com/DigiCertGl ... CA.crt.pem

100000 certificate :D
https://curl.haxx.se/ca/cacert.pem

I have 3 router using only 1
but 1 other is not working so I have to use 100+ cert
 
User avatar
Ishtiaque
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Sat Jul 30, 2016 5:17 pm
Location: Bangladesh
Contact:

Re: DNS over HTTPS

Sun Sep 19, 2021 5:32 pm

Certificate Import not supporting ..........
cannot find host name ............
its error all over :D
use /tool fetch url=https://curl.se/ca/cacert.pem and it should work
Yes :)
and Thanks Dude :) its great and worked for me
 
vatokale
just joined
Posts: 1
Joined: Mon Sep 27, 2021 9:44 pm

Re: DNS over HTTPS

Mon Sep 27, 2021 9:47 pm

does https://8.8.8.8/dns-query or https://8.8.4.4/dns-query work as a direct doh server?
 
User avatar
Ishtiaque
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Sat Jul 30, 2016 5:17 pm
Location: Bangladesh
Contact:

Re: DNS over HTTPS

Sat Oct 02, 2021 11:32 pm

does https://8.8.8.8/dns-query or https://8.8.4.4/dns-query work as a direct doh server?
yas
 
DoubleDB
newbie
Posts: 25
Joined: Thu Feb 20, 2020 12:53 am

Re: DNS over HTTPS

Tue Oct 05, 2021 9:47 am

Okay... has anything been done about the total instability of DoH ?
My DNS completely disappears every 15-20 minutes. Tried everything I could think of - nothing helped......
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: DNS over HTTPS

Tue Oct 05, 2021 10:01 pm

Have you tried another DoH provider?
 
User avatar
Ishtiaque
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Sat Jul 30, 2016 5:17 pm
Location: Bangladesh
Contact:

Re: DNS over HTTPS

Wed Oct 06, 2021 12:13 am

Okay... has anything been done about the total instability of DoH ?
My DNS completely disappears every 15-20 minutes. Tried everything I could think of - nothing helped......
Please post your DOH config
you can upload imager or
configuration script in text ...
 
tommix
just joined
Posts: 6
Joined: Sat Jan 01, 2022 1:49 am

Re: DNS over HTTPS

Sat Jan 01, 2022 1:55 am

Created account just to tell how pathetic MikroTik looks. Please look at ASUS routers how it should be done. RouterOS is not OS it's a notepad...where you have to do all the programming and scripting... It's sad to see how people strugiling to get shit done in Mikrotik. I was looking for new router..was thinking about Mikrotik, im from Lithuania, Latvia is neighbor... it's good to support neighbor but god damn.. this os SUCKS! People spending their LIFE on looking for fixed, hacks and pathes to get such BASIC features!
Very crappy implementation! Stupid to download certificates, stupid to not have few DNS options if one fails (thei never fail, routerOS only fails).... RouterOS is a mess. I was reading many many forums and post and i dont want to hve anything to do with it. If os dont have BASIC features..how can anyone trust anything more complicated?
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: DNS over HTTPS

Sun Jan 02, 2022 8:31 pm

ASUS :o lol
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: DNS over HTTPS

Sun Jan 02, 2022 8:33 pm

Okay... has anything been done about the total instability of DoH ?
My DNS completely disappears every 15-20 minutes. Tried everything I could think of - nothing helped......
Did you set an NTP Client?
 
User avatar
Mairis
just joined
Posts: 7
Joined: Sun Feb 05, 2017 3:43 pm
Location: Latvia

Re: DNS over HTTPS

Mon Feb 07, 2022 3:42 pm

RouterOS 7.1.1
----------------------
## copy Certificate from Internet
/tool fetch url=https://cacerts.digicert.com/DigiCertGl ... CA.crt.pem
## add Certificate to Mikrotik
/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=””
## verify [optional] *winbox gui >> System/Certificate
/certificate print
## Add Cloudflare DoH
/ip dns set use-doh-server=https://1.0.0.1/dns-query verify-doh-cert=yes
## disable static DNS servers
/ip dns set servers=""
## delete DNS cache [optional]
/ip dns/ cache/ flush
--------------------------------------------------------------------------------------------------------------------------
--- [Check what have you done] ----
https://1.1.1.1/help (Using DNS over HTTPS (DoH) - Yes)
*winbox gui >> Log (Verify for errors...)
 
mke
just joined
Posts: 23
Joined: Wed Sep 27, 2017 3:37 am

Re: DNS over HTTPS

Fri Mar 04, 2022 8:05 am

DoH working for me in 7.2rc4. Things I discovered troubleshooting what may or may not have been issues:

Cloudflare's test at https://1.1.1.1/help only tells you if you are using Cloudflare's own DoH, same with NextDNS test at https://test.nextdns.io.

Simplest way to test is torch your wan interface to see if requests are going via https to relevant 4 or 6 dns IPs, eg 1.1.1.1, 8.8.8.8 etc

I believe I had better luck importing the certificates I needed individually rather than the whole mozilla bundle, although I wasn't scientific about this and I don't see why it would make a difference. The ones I used for testing different providers were:

https://pki.goog/repo/certs/gtsr1.pem #google (all 4 required)
https://pki.goog/repo/certs/gtsr2.pem
https://pki.goog/repo/certs/gtsr3.pem
https://pki.goog/repo/certs/gtsr4.pem
https://cacerts.digicert.com/DigiCertGl ... CA.crt.pem # cloudflare / quad9
https://search.censys.io/certificates/4 ... a9ad7a/pem #nextdns

Not sure why but I think sntp helps, or at least I seemed to have less issues after adding the client? In Ros7 the command is different to what is listed earlier in this thread.

Make sure to disable any peer DNS on DHCP clients.

Eg working config for cloudflare:
/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=""

/system ntp client set enabled=yes servers=time.cloudflare.com

/ip dns set servers=""

/ip dns static add name=cloudflare-dns.com address=1.1.1.1
/ip dns static add name=cloudflare-dns.com address=1.0.0.1
/ip dns static add name=cloudflare-dns.com address=2606:4700:4700::1111
/ip dns static add name=cloudflare-dns.com address=2606:4700:4700::1001

/ip dns set verify-doh-cert=yes use-doh-server=https://cloudflare-dns.com/dns-query

/ip dhcp-client set 0 use-peer-dns=no
/ipv6 dhcp-client set 0 use-peer-dns=no
 
evbocharov
newbie
Posts: 26
Joined: Tue May 25, 2021 11:06 pm

Re: DNS over HTTPS

Sat Mar 05, 2022 8:36 am

rb4011 - Ros 7.1.3 and 7.2rc4
If use config by mke kernel panic.
Conf by Mairis - OK, but not all correct.
Make a new conf
## Static DNS servers - must be for resolve the DoH hostname
/ip dns set servers=1.1.1.1

## copy Certificate from Internet
/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem

## add Certificate to Mikrotik
/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=""

## Add Cloudflare DoH
/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes

## delete DNS cache 
/ip dns/ cache/ flush

##Check in your browser:
https://www.cloudflare.com/ssl/encrypted-sni/ 
Anybody know config for a Mullvad?
Thank you
 
madgrok
just joined
Posts: 7
Joined: Wed Jul 19, 2017 1:08 pm

Re: DNS over HTTPS

Sat Jun 04, 2022 2:32 pm

I'm constantly getting my logs flooded with max concurrent queries. I have increased max-concurrent-queries and max-concurrent-tcp-sessions, but still get the errors. Any suggestions would be greatly appreciated.

log
10:47:56 dns,warning DoH max concurrent queries reached, ignoring query

dns settings
[admin@RB3011UiAS] > ip dns print
                      servers: 
              dynamic-servers: 
               use-doh-server: https://1.1.1.1/dns-query
              verify-doh-cert: yes
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 250
  max-concurrent-tcp-sessions: 100
                   cache-size: 2048KiB
                cache-max-ttl: 1w
                   cache-used: 460KiB

Do you use domain names in your address list? If the list is large, RoS will send many requests to the DNS server until it has processed the entire list of domains.

P.S. English is not my native language, so please be kind to my mistakes. )
 
marcelofares
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Mar 03, 2015 2:26 pm

Re: DNS over HTTPS

Fri Jun 10, 2022 5:38 pm

I have the same problem but using OPENDNS as my DNS server

I'm these rules for OPENDNS - https://<CENSORED>/mikrotik-dns-over-https-doh.html

Any tips to resolve this?
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: DNS over HTTPS

Fri Jun 10, 2022 6:02 pm

@marcelofares your published url it's just to make money with other advertising?
 
marcelofares
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Mar 03, 2015 2:26 pm

Re: DNS over HTTPS

Fri Jun 10, 2022 6:56 pm

Here is the correct Url from which I followed the steps for deploying OPEN DNS over DOH:
https://<CENSORED>/mikrotik-dns-over-https-doh.html
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: DNS over HTTPS

Fri Jun 10, 2022 7:05 pm

Again?
Want to give me a Gift ?
PayPal paypal.me/dfghdfghd
Saweria saweria.co/dfghdfghdfgh
Bitcoin asdfasdfasdfa
Publish the resulting script, not the URL or the AD...
 
marcelofares
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Mar 03, 2015 2:26 pm

Re: DNS over HTTPS

Fri Jun 10, 2022 7:08 pm

This is the configuration that I used for OPENDNS.
It's exactly the print screen of the censored site:
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: DNS over HTTPS

Fri Jun 10, 2022 7:15 pm

And on your System / Certificates what is present?
 
marcelofares
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Mar 03, 2015 2:26 pm

Re: DNS over HTTPS

Fri Jun 10, 2022 7:22 pm

Just this certificate:
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: DNS over HTTPS

Fri Jun 10, 2022 7:29 pm

Is the same Cert for Cloudflare https://1.1.1.1/dns-query

Test changing the string to https://208.67.222.222/dns-query
 
marcelofares
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Mar 03, 2015 2:26 pm

Re: DNS over HTTPS

Fri Jun 10, 2022 9:34 pm

Is the same Cert for Cloudflare https://1.1.1.1/dns-query

Test changing the string to https://208.67.222.222/dns-query
I think it solved. The errors logging stopped appearing. I just really hope I'm using DOH. :)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: DNS over HTTPS

Fri Jun 10, 2022 9:59 pm

You simply change DNS to IP?
 
marcelofares
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Mar 03, 2015 2:26 pm

Re: DNS over HTTPS

Fri Jun 10, 2022 11:11 pm

You simply change DNS to IP?
The errors that were generated by the logging decreased, but I just received this alert by email.
Would it have something to do with Hotspot?
You do not have the required permissions to view the files attached to this post.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: DNS over HTTPS

Fri Jun 10, 2022 11:49 pm

Until Docker support will be back so that you can run a decent DoH client, I'd say to stay away from using it and run your DNS on another box with AdGuardHome or whatever.
Less headaches.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: DNS over HTTPS

Sat Jun 11, 2022 12:41 am

@Znevna
DOH is working fine.
2022-06-11_02-05-26.jpg
You do not have the required permissions to view the files attached to this post.
 
marcelofares
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Mar 03, 2015 2:26 pm

Re: DNS over HTTPS

Sat Jun 11, 2022 2:33 am

Is there anything I can do to resolve this issue?
You do not have the required permissions to view the files attached to this post.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: DNS over HTTPS

Sat Jun 11, 2022 4:27 am

@marcelofares
Try to import the complete chain of trust (Root, Intermediates) certificates needed for the HTTPS communication with your DOH server.
2022-06-11_05-28-01.jpg
CLI
/certificate settings
set crl-download=yes crl-store=system crl-use=yes
/ip dns
set allow-remote-requests=yes use-doh-server="https://doh.opendns.com/dns-query" verify-doh-cert=yes
/ip dns static
add address=146.112.41.2 name=doh.opendns.com
add address=2620:119:fc::2 name=doh.opendns.com type=AAAA
/system clock
set time-zone-name=" "
/system logging
add prefix=DNS---> topics=dns,!packet
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.cloudflare.com
DOH servers
IP Address=146.112.41.2
DNS Name=doh.opendns.com
IP Address=2620:0119:00fc:0000:0000:0000:0000:0002
DNS Name=doh.familyshield.opendns.com
IP Address=146.112.41.3
IP Address=2620:0119:00fc:0000:0000:0000:0000:0003
DNS Name=doh.sandbox.opendns.com
IP Address=146.112.41.4
IP Address=2620:0119:00fc:0000:0000:0000:0000:0004
DNS Name=doh.umbrella.com
IP Address=146.112.41.5
IP Address=2620:0119:00fc:0000:0000:0000:0000:0005
Cisco OpenDNS certificates chain of trust
doh-opendns-com-chain.zip
Walkthrough Mozi://a
Virustotal scan of attachments
You do not have the required permissions to view the files attached to this post.
 
marcelofares
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Mar 03, 2015 2:26 pm

Re: DNS over HTTPS

Sat Jun 11, 2022 1:11 pm

I saw that you did not configure the Cisco DNS servers in this attached field. Is it necessary to configure or is it optional?
I'll test your tip above anyway and let you know :)
You do not have the required permissions to view the files attached to this post.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: DNS over HTTPS

Sat Jun 11, 2022 2:00 pm

@marcelofares
I added the static A/AAAA records required for "https://doh.opendns.com" it should resolve the name query without any future requirements. When both DNS and DOH are configured DOH has a higher priority than DNS. However, I would recommend a typical DNS server too.
 
marcelofares
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Mar 03, 2015 2:26 pm

Re: DNS over HTTPS

Sat Jun 11, 2022 5:41 pm

@marcelofares
I added the static A/AAAA records required for "https://doh.opendns.com" it should resolve the name query without any future requirements. When both DNS and DOH are configured DOH has a higher priority than DNS. However, I would recommend a typical DNS server too.
Your configuration is working 100%
Only two things I wanted to point out.

1 - The CISCO OPENDNS certificate has only 380 days of validity, and my concern is to know, how to renew after it expires?

2 - I didn't add any static AAAA IPV6 entries because we don't use this protocol, just IPV4 and everything is working this way.

3 - When using DOH, is it necessary to create a rule in the filter table of the Firewall, to prevent someone from trying to consult another DNS server? As we already do with queries on UDP and TCP ports 53.
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS over HTTPS

Sat Jun 11, 2022 6:44 pm

You shouldn't need intermediate certificates, they are sent by server. And no, you can't easily block other DoH servers, because they use port 443, same as https used by web. So you can block it, but you'll basically block most of what users see as internet.
 
marcelofares
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Mar 03, 2015 2:26 pm

Re: DNS over HTTPS

Sat Jun 11, 2022 6:54 pm

You shouldn't need intermediate certificates, they are sent by server. And no, you can't easily block other DoH servers, because they use port 443, same as https used by web. So you can block it, but you'll basically block most of what users see as internet.

You mean if I enable DOH on my network, but someone smarter tries to change their workstation's default DNS, they'll be able to change their queries to another DNS server? If so, from a security point of view, this is terrible.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: DNS over HTTPS

Sat Jun 11, 2022 7:03 pm

That's what DoH (and others similar) was created for, so you don't spy/track/hijack your clients DNS requests.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS over HTTPS

Sat Jun 11, 2022 7:10 pm

Exactly, that's what happens, action and reaction, too many people were sticking their noses in someone else's DNS queries, so someone else came up with solution that prevents it (DoH).
 
marcelofares
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Mar 03, 2015 2:26 pm

Re: DNS over HTTPS

Sat Jun 11, 2022 7:32 pm

That's what DoH (and others similar) was created for, so you don't spy/track/hijack your clients DNS requests.
Yes, that's exactly what DOH is used for, to avoid spying on the vulnerable DNS protocol itself, however, at the same time that DOH avoids this, someone connecting within my local network can change the DNS on their computer local to another, and exit, and skip the filter control. I mean filtering via DNS with OPENDNS or other servers that provide content filtering and blocking, do you understand this point? That's why I asked if there is any way to prevent someone from within your local network from changing the name resolutions of your default DNS server to another with DOH, in order to bypass the default DNS server filter defined on the router.
Last edited by marcelofares on Sat Jun 11, 2022 7:54 pm, edited 1 time in total.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: DNS over HTTPS

Sat Jun 11, 2022 7:40 pm

Yes, you move around the house with a baseball bat and stare angry at intruders that dare to bypass your restrictions.
Or you stop relying on DNS alone as a content filter solution.
 
User avatar
inteq
Member
Member
Posts: 402
Joined: Wed Feb 25, 2015 8:15 pm
Location: Romania

Re: DNS over HTTPS

Sat Jun 11, 2022 7:47 pm

That's what DoH (and others similar) was created for, so you don't spy/track/hijack your clients DNS requests.
While at the same time most DoH "supporters" use cloudflare, google and Co servers. The mothers of all spies.
DoH is a stupid idea.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: DNS over HTTPS

Sat Jun 11, 2022 7:49 pm

Using one mother of all spies DoH resolver bypasses your dads restrictions. Fine with a lot of italians.
 
marcelofares
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Mar 03, 2015 2:26 pm

Re: DNS over HTTPS

Sat Jun 11, 2022 8:04 pm

In my view, DOH would only be sensational, if it were possible, to prevent smart users from within your local network from changing the router's resolution server to another of your choice, leaving the user to choose, which server query he wants to use, even though he knows that DNS server filters would be lost.

But also, I cannot disregard the security with encryption that the DOH provides, therefore, we have to put ourselves in the balance to know which is the best for our scenarios.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: DNS over HTTPS

Sat Jun 11, 2022 9:03 pm

Ok, in my home network I run network-wide dns hijacking because of the lots of IoTs sending queries all over the place with hardcoded addresses.
On top of that I redirect them to a local AdGuardHome instance, which I've set to use NextDNS as upstream.
Whatever gets passed AdGuardHome most of the time gets caught by NextDNS which has a few extra knobs and features, either way I have two sets of logs in case something is fishy.
Now, NextDNS has a feature that blocks bypass methods which is advertised as
"Prevent or hinder the use of methods that can help bypass NextDNS filtering on the network. This includes VPNs, proxies, Tor-related software and encrypted DNS providers."
I'm guess it blocks known DNS providers, VPNs etc, still at DNS level, you could do the same but it won't be easy keeping a list of all that up-to-date.
I'm not using that feature. If someone from inside the network wants to see ads in browsers and games and tracking and etc is free to do so, using one of those bypassing methods.
I'm not using the RouterOS resolver for anything else than beeing a sinkhole for the local domain queries, which I find not amusing because of the timeout it adds (for non existant records), I'll have to find a better solution for this, and discard it completly from the setup, but at least they don't get forwarded to upstream for now.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS over HTTPS

Sat Jun 11, 2022 9:24 pm

You could try to block access to well known servers, e.g. from this list (that's severals times more than I knew):

https://github.com/curl/curl/wiki/DNS-o ... le-servers

Problem is, there are probably many more. And even if not, look how simple is to run your own:

https://github.com/NotMikeDEV/DoH/blob/master/dns.php

Some free hosting with php, this tiny script, and you have working DoH proxy.
 
marcelofares
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Mar 03, 2015 2:26 pm

Re: DNS over HTTPS

Sat Jun 11, 2022 9:54 pm

Ok, in my home network I run network-wide dns hijacking because of the lots of IoTs sending queries all over the place with hardcoded addresses.
On top of that I redirect them to a local AdGuardHome instance, which I've set to use NextDNS as upstream.
Whatever gets passed AdGuardHome most of the time gets caught by NextDNS which has a few extra knobs and features, either way I have two sets of logs in case something is fishy.
Now, NextDNS has a feature that blocks bypass methods which is advertised as
"Prevent or hinder the use of methods that can help bypass NextDNS filtering on the network. This includes VPNs, proxies, Tor-related software and encrypted DNS providers."
I'm guess it blocks known DNS providers, VPNs etc, still at DNS level, you could do the same but it won't be easy keeping a list of all that up-to-date.
I'm not using that feature. If someone from inside the network wants to see ads in browsers and games and tracking and etc is free to do so, using one of those bypassing methods.
I'm not using the RouterOS resolver for anything else than beeing a sinkhole for the local domain queries, which I find not amusing because of the timeout it adds (for non existant records), I'll have to find a better solution for this, and discard it completly from the setup, but at least they don't get forwarded to upstream for now.
But Cisco's OPENDNS also has this type of filtering, which is precisely why I see a downside to using DOH, as I can bypass the DNS server defined in RouterOS. Without DOH, it's practically impossible to get around, assuming we have a NAT rule that only allows specific outbound DNS.
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: DNS over HTTPS

Tue Jul 26, 2022 7:23 pm

On the filter you have forgotten: religious, tobacco and politics.
Three drugs worse than sex ...
 
ivicask
Member
Member
Posts: 417
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: DNS over HTTPS

Wed Oct 19, 2022 11:09 am

I have entire collection of various DoH related errors, im using NextDNS DOH and i dont have issues using their DNS client for windows or using it for example directly in my samsung phone, but on mikrotik every day i have 1-3 mins dns blackouts or random delays followed with attached errors.

Is this something that mikrotik should fix their side? NextDNS support pretty much says nothing wrong their side..

Attached screen is from 7.6 stable but nothing is changed since early versions of v7.
You do not have the required permissions to view the files attached to this post.
 
orangutan
just joined
Posts: 3
Joined: Mon Nov 28, 2022 8:08 pm

Re: DNS over HTTPS

Mon Nov 28, 2022 8:23 pm

I replaced RouterOS with OpenWrt + dnscrypt-proxy2 because DoH on MikroTik is really very unstable.
With OpenWrt + dnscrypt-proxy2 no issues at all.
I will go back to using RouterOS when DoH is really stable.

***

Update:

after watching https://youtu.be/w4erB0VzyIE
I realized I didn't add:
/ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=53
/ip firewall nat add chain=dstnat action=redirect protocol=udp dst-port=53
not written here https://help.mikrotik.com/docs/display/ROS/DNS

So i did a netinstall of RouterOS v7.6 from OpenWRT.
My DoH config with AdGuard:
Upload (PEM) CA certificate downloaded from Firefox https://dns.adguard-dns.com/dns-query
/ip dns static add name=dns.adguard-dns.com address=94.140.14.14 comment="AdGuard DNS"
/ip dns static add name=dns.adguard-dns.com address=94.140.15.15
/ip dns static add name=dns.adguard-dns.com address=2a10:50c0::ad1:ff type=AAAA
/ip dns static add name=dns.adguard-dns.com address=2a10:50c0::ad2:ff type=AAAA
/ip dns set use-doh-server=https://dns.adguard-dns.com/dns-query verify-doh-cert=yes
/ip dns set allow-remote-requests=yes
/ip dhcp-client set [interface] use-peer-dns=no
/ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=53 comment="Redirect port 53"
/ip firewall nat add chain=dstnat action=redirect protocol=udp dst-port=53

No errors appear after a few hours. :D
Log.png

EDIT:
Ah, the error appears again. :(
Log2.png
You do not have the required permissions to view the files attached to this post.
Last edited by orangutan on Tue Dec 27, 2022 3:46 am, edited 3 times in total.
 
evbocharov
newbie
Posts: 26
Joined: Tue May 25, 2021 11:06 pm

Re: DNS over HTTPS

Wed Dec 07, 2022 1:33 pm

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""
Hello. I don't understand. In video DoH you say that disable a static dns.
But in manual from https://help.mikrotik.com/docs/display/ROS/DNS
We need at least one regular DNS server configured for the router to resolve the DoH hostname
What is true? Disable or must use ? i use time server time.google.com - but i my insert ip (216.239.35.8) in ntp client
Thank you
 
User avatar
frank333
Member
Member
Posts: 328
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: DNS over HTTPS

Fri Dec 16, 2022 11:43 am

@evbocharov
It is commendable mikrotik's initiative to make simple explanatory videos or mini courses on basic settings.
As far as it comes to disabling the DNS server on the router I think it shouldn't happen because in case the remote DNS fails it can switch to a second alternative DOH server. This is evident from the manual, which states "RouterOS prioritizes DoH over DNS servers if both are configured on the device."
The problem is that it's not like that at all, or rather, if you crash the remote server, the alternative server doesn't work and the addresses with the local server (which has a completely different address from the encrypted one) are not translated at all and you can even read an error in the log files.
This is the problem i had since DOH was implemented. i ask you (and i ask also to everyone reading) have you done any test to see if you have always redundancy in the dns?
 
orangutan
just joined
Posts: 3
Joined: Mon Nov 28, 2022 8:08 pm

Re: DNS over HTTPS

Sat Dec 17, 2022 4:16 pm

I give up!
I ended up setting up DoH using another tool and never had a problem.
DoH on MikroTik is half baked.
Lots of complaints on the internet. :(
 
User avatar
frank333
Member
Member
Posts: 328
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: DNS over HTTPS

Sat Dec 17, 2022 5:40 pm

@orangutan,
it would be nice if it worked fully i.e. maintained redundancy on a second DOH , for now I solved with adguard on docker ; to which via dhcp ,I route the traffic of some clients on my lan.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: DNS over HTTPS

Sun Dec 18, 2022 12:19 pm

@orangutan
With only 2 post here on the forum, it does not look like you have investigated a lot in how to get it to work.
 
orangutan
just joined
Posts: 3
Joined: Mon Nov 28, 2022 8:08 pm

Re: DNS over HTTPS

Mon Dec 19, 2022 12:43 am

@Jotne

/ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=53
/ip firewall nat add chain=dstnat action=redirect protocol=udp dst-port=53

hmmm... it looks like replacing 'redirect' with 'dst-nat' solved the problem.
no errors for several hours.
i hope so.

Update:

A lot of
DoH server connection error: SSL: handshake timed out (6)
DoH server connection error: SSL: internal error (6)
DoH server connection error: remote disconnected while in HTTP exchange
DoH server connection error: while sending - Broken pipe
DoH server connection error: SSL: ssl: close notify received (6)

:lol: 🏳️
Last edited by orangutan on Tue Dec 27, 2022 3:47 am, edited 2 times in total.
 
evbocharov
newbie
Posts: 26
Joined: Tue May 25, 2021 11:06 pm

Re: DNS over HTTPS

Wed Dec 21, 2022 7:51 pm

I don't understand, why in video recommend use DNS Redirect to 53 port. Because DoH use a 443 port.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Thu Dec 22, 2022 9:31 am

Because you are "catching" regular old DNS requests (port 53) from your LAN users, and "forcing" them to use encrypted DNS (DoH port 443). This is what that rule does. Takes unencrypted DNS and sends it to encrypted DNS.
 
User avatar
frank333
Member
Member
Posts: 328
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: DNS over HTTPS

Thu Dec 22, 2022 9:38 am

@normis,
how could you do to ensure the continuity of the encrypted DNS on a second DoH (a kind of failover...)?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Thu Dec 22, 2022 9:40 am

in routerOS you can't set two active DoH servers, for any more complex scenarios, set up PiHole in Docker and then let it handle DoH
 
User avatar
frank333
Member
Member
Posts: 328
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: DNS over HTTPS

Thu Dec 22, 2022 9:45 am

Hello, yes, I've already done so, but if there was the possibility would have been very convenient.
 
judoleza
just joined
Posts: 5
Joined: Sun Jan 17, 2021 8:26 pm

Re: DNS over HTTPS

Sun Dec 25, 2022 11:07 am

Probably because it was easier?
I would say, DoT uses a specific TCP port 853 (and cannot use UDP communication by design), which is being blocked by the providers by purpose.
Makes no sense to implement DoT for a vast majority of users, who are obviously dependent on the provider's infrastructure.
Conclusively, in regards to DoT, "to implement and include to network designs" makes sense for the providers' setups mostly.
Well, It might depend on which sector the Mikrotik feels in its guts.
But most probably it is not (DoH rather than DoT) because it is "easier".
 
johnvam
newbie
Posts: 32
Joined: Thu Sep 03, 2009 8:34 pm

Re: DNS over HTTPS

Wed Jan 11, 2023 7:04 pm

Hello!
I have one question. The option Verify DoH Certificate is mandatory?
Because I set https://cloudflare-dns.com/dns-query and everything works fine!
The verify DoH certificate option helps somehow?
Thank you
 
johnvam
newbie
Posts: 32
Joined: Thu Sep 03, 2009 8:34 pm

Re: DNS over HTTPS

Thu Jan 12, 2023 9:13 am

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""
Hello @normis

Verify doh certification is mandatory? because I can use cloudflare doh still if uncheck that
What’s the purpose of that feature?

Thank you
 
User avatar
frank333
Member
Member
Posts: 328
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: DNS over HTTPS

Thu Jan 12, 2023 10:17 am

  • If you want to learn more about certificates type in a search engine : What digital certificates are and how they work. And you will find many guides that explain the mechanism more or less in a complex way.
  • Essentially what I can tell you in a few words and with my little experience ,is that digital signature verification is a procedure that is used to make sure of the integrity and originality of the dns .
  • If you leave it out, in case of a cyber attack, anyone can disrupt the DNS by replacing it.... At first, enabling DoH certificate verification caused memory saturation on some routers like mine, but you will find everything written above this post if you have the constant to read everything.
 
evbocharov
newbie
Posts: 26
Joined: Tue May 25, 2021 11:06 pm

Re: DNS over HTTPS

Thu Jan 12, 2023 6:25 pm

in routerOS you can't set two active DoH servers, for any more complex scenarios, set up PiHole in Docker and then let it handle DoH
is planned to upgrade DoH? to configure several servers at the same time. And priority will be given to those servers that respond to DNS queries faster.
For example in in Keenetic, can be used no more than 8 servers
 
User avatar
frank333
Member
Member
Posts: 328
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: DNS over HTTPS

Thu Jan 12, 2023 7:08 pm

@evbocharov,
if you have a router with a lot of memory you can install docker on (or a raspberry) RoS 7.6 and following and run pihole or adguardhome and you can configure a lot of alternative dns I did that:
doh.png
it is really all very simple.
But I still have some problem in ros ,from dhcp lease in fact I can't get it to switch between options automatically in case of a malfunction .
dhcpoptions.png
You do not have the required permissions to view the files attached to this post.
 
evbocharov
newbie
Posts: 26
Joined: Tue May 25, 2021 11:06 pm

Re: DNS over HTTPS

Sun Jan 15, 2023 11:27 am

When i reconfig default settings DNS MT now is stable, without errors in log.
Your scheme is crutch.
I use dhcp server in MT.
 
User avatar
frank333
Member
Member
Posts: 328
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: DNS over HTTPS

Sun Jan 15, 2023 1:04 pm

When i reconfig default settings DNS MT now is stable, without errors in log.
Your scheme is crutch.
I use dhcp server in MT.
I didn't quite understand if you resolved , or not.
I ask you this , if you simulate the DoH dns drop ; does your LAN still resolve addresses ( and if so, what dns does it use) or does it crash?
 
evbocharov
newbie
Posts: 26
Joined: Tue May 25, 2021 11:06 pm

Re: DNS over HTTPS

Mon Jan 16, 2023 8:44 pm

When i reconfig default settings DNS MT now is stable, without errors in log.
Your scheme is crutch.
I use dhcp server in MT.
I didn't quite understand if you resolved , or not.
I ask you this , if you simulate the DoH dns drop ; does your LAN still resolve addresses ( and if so, what dns does it use) or does it crash?
when DoH dns drop - LAN not resolve addresses

If i use 2 ip's ???
/ip dns static add address=1.1.1.1 name=cloudflare-dns.com
/ip dns static add address=104.16.248.249 name=cloudflare-dns.com
 
User avatar
frank333
Member
Member
Posts: 328
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: DNS over HTTPS

Mon Jan 16, 2023 10:03 pm

@evbocharov,
so you also noticed that this :
prioritize.png
does not always correspond to the truth ?
You do not have the required permissions to view the files attached to this post.
 
evbocharov
newbie
Posts: 26
Joined: Tue May 25, 2021 11:06 pm

Re: DNS over HTTPS

Fri Feb 03, 2023 5:48 pm

Hello. What does mean these settings?
/certificate settings
set crl-download=yes
crl-store=system
crl-use=yes

If i use a https://curl.se/ca/cacert.pem and google doh.
Thank you
 
evbocharov
newbie
Posts: 26
Joined: Tue May 25, 2021 11:06 pm

Re: DNS over HTTPS

Mon Feb 06, 2023 8:00 pm

It is sad. But on all pieces of hw under the control of ROS 7. today they turned off the use of DoH. Errors keep popping up! It's time to admit to the support service that it doesn't work stably.
Let's hope they get it to work.
 
User avatar
p0p
just joined
Posts: 14
Joined: Mon Feb 13, 2023 1:34 pm

Re: DNS over HTTPS

Mon Feb 13, 2023 4:52 pm

I want to use Cloudflare as my DNS provider with DoH enabled.
I'm using a MikroTik Chateau 5G AX.

Questions:
0. General Questions
0.1. If I'm using Safe Mode in Winbox and enter commands inside the terminal, are they also reverted like changes on the UI?

1. Certificate
1.1. It's not mandatory to import the certificate, right?
Step1: /tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
Step2: /certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=""
Step3: /ip dns set verify-doh-cert=yes
1.2. As I understand it, the certificate is automatically recognised and validated by RouterOS. Is that correct?
1.3. If it is mandatory to manually import the certificate, the certificate will expire someday. What are the required steps to automate the import to avoid an invalid cert?

2. Implementation
2.1. If needed I need to download the certificate first as mentioned, as there might occour DNS resolving issues, right?
If the cert is not installed I get this error inside the log:
DoH server connection error: SSL: ssl: no trusted CA certificate found (6)
And I can't connect to the internet anymore.
2.2. As the Chateau 5G AX is an "LTE based" device my provider would give me an DNS server, therefore I need to go to
Interface > LTE > LTE APNs > Disable Peer DNS
to avoid having a Dynamic DNS server entrie under
IP > DNS
So far so good? Anything I missed in this step?
2.3. Afterwards under
IP > DNS > Servers
I have to enter
1.1.1.1
1.0.0.0
2606:4700:4700::1111
2606:4700:4700::1001
Is that correct?
2.4. For DoH under
IP > DNS > Servers
I have to enter
https://1.1.1.1/dns-query
and enable the tick
"Verify DoH Certificate"
2.5. And under
IP > DNS > Static
Add the entries
Name: cloudflare-dns.com
Type: A
Address: 1.1.1.1

Name: cloudflare-dns.com
Type: A
Address: 1.0.0.1

Name: cloudflare-dns.com
Type: AAAA
IP v6 Address: 2606:4700:4700::1111

Name: cloudflare-dns.com
Type: AAAA
IP v6 Address: 2606:4700:4700::1001
Is everything correct this way?
Last edited by p0p on Mon Feb 13, 2023 5:24 pm, edited 2 times in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS over HTTPS

Mon Feb 13, 2023 7:34 pm

1.1 Yes and no. You can skip certificate, set verify-doh-cert=no and it will work. But the point of certificates is to ensure that nobody between you and target server can read or change what you both send and receive. If you don't verify certificates, anyone on the way can fiddle with your data. You probably don't want that.

1.2 If you'll have the right root certificate and you'll tell RouterOS to use it (verify-doh-cert=yes), then it will recognize that it's the right certificate for given server. And it will tell you if not.

1.3 This is something without foolproof solution. Root certificates have very long validity, e.g. this one is good until 2031. That is, until something happens. Server's operator might decide to get certificate from different CA and then you'd need different root certificate. Or CA loses their key and will be forced to make new root certificate (this one is quite unlikely). Or an algorithm will be broken and there will have to be completely different certificates. Regular OSes like Windows handle this by including root certificates from trusted CAs in system updates. RouterOS so far doesn't do anything like that. Perhaps it would be good idea if it did, but there are many CAs and they would either have to decide themselves what are trusted, or they would have to take that from someone else.

2.1 If you want it completely safe, you can't do it on router, because it initially doesn't have any certificate to verify the one used by https server you'd download this one from. But you can easily download it using your web browser and upload it to router.

2.2 Yes. But AFAIK RouterOS should prefer DoH if you configure it.

2.3 No

2.4 Yes

2.5 No (or yes, if in 2.4 you use https://cloudflare-dns.com/dns-query)
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: DNS over HTTPS

Mon Feb 13, 2023 8:10 pm

I want to use Cloudflare as my DNS provider with DoH enabled.
I'm using a MikroTik Chateau 5G AX.[ARM based so has /container]

A more radical solution is to use the CloudFlare container's "proxy-dns" option, in a container.

What this does for you is run a DNS resolver on the container's IP address & can either use directly in DHCP or indirectly via ROS DNS (e.g. /ip/dns/servers= cloudflared proxy-dns container's IP). Inside the Cloudflare container, it use DoH to send the request to CloudFlare. To setup you can follow @Normis's video on CloudFlare, but instead of doing anything in CloudFlare ZeroTrust, you just need to change the "tunnel XXXX" in the cmd to "proxy-dns". (If you want both, you may need to run two containers, but dunno).

See https://developers.cloudflare.com/1.1.1 ... ps-client/
Container is here: https://hub.docker.com/r/cloudflare/cloudflared
Last edited by Amm0 on Mon Feb 13, 2023 8:34 pm, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS over HTTPS

Mon Feb 13, 2023 8:14 pm

Sounds like more reasons to put zerotrust cloudflare tunnel as an options package for ALL MT devices not just those can hold complex containers............. Doh apparently not so easy based on reading this thread.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: DNS over HTTPS

Mon Feb 13, 2023 8:16 pm

@anav, LOL. I was just waiting for your pitch... I would have guessed an hour, but I couldn't even edit my post before you commented. But I'd more sympathetic if you'd actually even tried or used the service ;)

* And, I'm still waiting for Mikrotik DNS to support PTR records, so static DNS-SD can be configured in RouterOS (e.g. unicast version of mDNS). The RFC is from 2013.
 
mtf
just joined
Posts: 6
Joined: Mon Dec 12, 2022 12:23 am

Re: DNS over HTTPS

Mon Jul 10, 2023 7:55 pm

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""
Hello normis could you please check my thread too I'm lost on DoH part tnx
viewtopic.php?t=191624
 
User avatar
Kamaz
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Sun Apr 30, 2017 9:35 am

Re: DNS over HTTPS

Mon Jul 31, 2023 10:21 pm

Hello everybody. Can somebody please help me with my problems.
Here is my config
/ip dhcp-client set WAN use-peer-dns=no

/ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=53 comment="Redirect port 53"
/ip firewall nat add chain=dstnat action=redirect protocol=udp dst-port=53

/ip dns static
add address=1.1.1.1 name=cloudflare-dns.com
add address=1.0.0.1 name=cloudflare-dns.com
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
add address=1.1.1.2 name=security.cloudflare-dns.com
add address=1.0.0.2 name=security.cloudflare-dns.com
add address=1.1.1.3 name=family.cloudflare-dns.com
add address=1.0.0.3 name=family.cloudflare-dns.com
When I configured Cloudflare as my DOH server everything was fine:
/ip dns set servers=1.1.1.1
/tool fetch url="https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem"
/certificate import file-name=DigiCertGlobalRootCA.crt.pem
/ip dns set verify-doh-cert=yes use-doh-server=https://cloudflare-dns.com/dns-query
/system ntp client set enabled=yes servers=time.cloudflare.com
/ip dns set servers=""
/ip/dns/cache flush

Next to it I tried to change my DOH server to
https://family.cloudflare-dns.com/dns-query
or
https://1.1.1.3/dns-query
but no luck, looks lite it requires another certificate. A lot of SSL-related errors appeared. The first question is where and how can I get this certificate?

At the end when I tried to use config for NextDNS, my "Free HDD space" went to 0. These certificates occupied all my free space (1000KB, AC2, ROS 7.10.2 )!!!
I was forced to make a NetInstall and restore using backup.
/tool fetch url=https://curl.se/ca/cacert.pem
/certificate import file-name=cacert.pem passphrase=""
/ip dns static add name=dns.nextdns.io address=45.90.28.0 type=A
/ip dns static add name=dns.nextdns.io address=45.90.30.0 type=A
/ip dns set use-doh-server=“https://dns.nextdns.io/asdf23/mikrotik.lite22” verify-doh-cert=yes
/ip dns set servers=""
/ip/dns/cache flush
So the second question. How can I import certificate specifically for Nextdns and avoid this huge list from curl.se? Can somebody please explain me how to do that?



Thanks in advance!
 
Pea
Member Candidate
Member Candidate
Posts: 229
Joined: Fri Jul 17, 2015 11:07 pm
Location: Czech

Re: DNS over HTTPS

Tue Aug 01, 2023 3:07 pm

 
User avatar
Kamaz
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Sun Apr 30, 2017 9:35 am

Re: DNS over HTTPS

Wed Aug 02, 2023 7:43 pm

Yeh, it works, thank you!
 
Simonej
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Sun Aug 22, 2021 3:34 am

Re: DNS over HTTPS

Mon Aug 07, 2023 9:43 pm

At the end when I tried to use config for NextDNS, my "Free HDD space" went to 0. These certificates occupied all my free space (1000KB, AC2, ROS 7.10.2 )!!!
This is what I'm using to "clean" certificates for NextDNS:
/tool fetch url="https://curl.se/ca/cacert.pem" dst-path="cacert.pem"
/certificate remove [find where authority expired]
/certificate import file-name="cacert.pem"
/certificate remove [find where name~"cacert" and !(common-name~"USERTrust")]
/file remove "cacert.pem"
 
clotspond
just joined
Posts: 1
Joined: Tue Aug 08, 2023 3:12 pm

Re: DNS over HTTPS

Tue Aug 08, 2023 3:13 pm

It is sad. But on all pieces of hw under the control of ROS 7. today they turned off the use of DoH. Errors keep popping up! It's time to admit to the support service that it doesn't work stably.
[color=#fffff]Stock Market Courses[/color] [color=#fffff]Hubspot agency[/color]
Last edited by clotspond on Wed Aug 16, 2023 1:09 am, edited 1 time in total.
 
User avatar
frank333
Member
Member
Posts: 328
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: DNS over HTTPS

Tue Aug 08, 2023 7:44 pm

It is sad. But on all pieces of hw under the control of ROS 7. today they turned off the use of DoH. Errors keep popping up! It's time to admit to the support service that it doesn't work stably.
install docker on ROS 7 (if you have enough memory) and then pihole or dnsguard and manage the DoH easily. (I've been using it for a few years now and never had a problem)
 
infabo
Long time Member
Long time Member
Posts: 585
Joined: Thu Nov 12, 2020 12:07 pm

Re: DNS over HTTPS

Wed Aug 09, 2023 12:09 pm

It is sad. But on all pieces of hw under the control of ROS 7. today they turned off the use of DoH. Errors keep popping up! It's time to admit to the support service that it doesn't work stably.
could you please be more specific?
 
marcelofares
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Mar 03, 2015 2:26 pm

Re: DNS over HTTPS

Mon Aug 28, 2023 1:13 am

@marcelofares
Try to import the complete chain of trust (Root, Intermediates) certificates needed for the HTTPS communication with your DOH server.
2022-06-11_05-28-01.jpg
CLI
/certificate settings
set crl-download=yes crl-store=system crl-use=yes
/ip dns
set allow-remote-requests=yes use-doh-server="https://doh.opendns.com/dns-query" verify-doh-cert=yes
/ip dns static
add address=146.112.41.2 name=doh.opendns.com
add address=2620:119:fc::2 name=doh.opendns.com type=AAAA
/system clock
set time-zone-name=" "
/system logging
add prefix=DNS---> topics=dns,!packet
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.cloudflare.com
DOH servers
IP Address=146.112.41.2
DNS Name=doh.opendns.com
IP Address=2620:0119:00fc:0000:0000:0000:0000:0002
DNS Name=doh.familyshield.opendns.com
IP Address=146.112.41.3
IP Address=2620:0119:00fc:0000:0000:0000:0000:0003
DNS Name=doh.sandbox.opendns.com
IP Address=146.112.41.4
IP Address=2620:0119:00fc:0000:0000:0000:0000:0004
DNS Name=doh.umbrella.com
IP Address=146.112.41.5
IP Address=2620:0119:00fc:0000:0000:0000:0000:0005
Cisco OpenDNS certificates chain of trust
doh-opendns-com-chain.zip
Walkthrough Mozi://a
Virustotal scan of attachments


Where did you get this OPENDNS certificate that has already expired?
doh-opendns-com-chain.zip
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: DNS over HTTPS

Mon Aug 28, 2023 4:30 am

Were you in your underground bunker?
Yes, It seems that it's expired.
Screenshot 2023-08-28 045700.png
You do not have the required permissions to view the files attached to this post.
 
marcelofares
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Mar 03, 2015 2:26 pm

Re: DNS over HTTPS

Mon Aug 28, 2023 5:14 am

Were you in your underground bunker?
Yes, It seems that it's expired.
Screenshot 2023-08-28 045700.png
Any way to get it again with a new expiration date?
Where to get it, do you know?
 
User avatar
frank333
Member
Member
Posts: 328
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM+RBM11G

Re: DNS over HTTPS

Mon Aug 28, 2023 10:50 am

@marcelofares
I have included a short video for you to understand how to download an updated certificate
http://www.videosprout.com/video?id=8d6 ... 1cee4d20e1
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: DNS over HTTPS

Mon Aug 28, 2023 3:17 pm

Any way to get it again with a new expiration date?
Where to get it, do you know?
https://support.mozilla.org/en-US/kb/se ... ertificate
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: DNS over HTTPS

Mon Aug 28, 2023 4:03 pm

I think this issue is where does one get OpenDNS's certificate to use with verify-doh-cert=yes...

My browser shows the certificate seems to be signed by by IdenTrust (https://www.identrust.com/support/downloads), so I suspect download those Root CA's would fix OpenDNS.

Image

But nothing in OpenDNS docs link to that as the "official" one to actual trust... so is "guessing" the current cert is right, better than just using verify-doh-cert=no & avoiding the issue? IDK...
Last edited by Amm0 on Mon Aug 28, 2023 4:05 pm, edited 1 time in total.
 
marcelofares
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Mar 03, 2015 2:26 pm

Re: DNS over HTTPS

Mon Aug 28, 2023 4:04 pm

@marcelofares
I have included a short video for you to understand how to download an updated certificate
http://www.videosprout.com/video?id=8d6 ... 1cee4d20e1
Many Thankssss
 
marcelofares
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Mar 03, 2015 2:26 pm

Re: DNS over HTTPS

Mon Aug 28, 2023 4:30 pm

I think this issue is where does one get OpenDNS's certificate to use with verify-doh-cert=yes...

My browser shows the certificate seems to be signed by by IdenTrust (https://www.identrust.com/support/downloads), so I suspect download those Root CA's would fix OpenDNS.

Image

But nothing in OpenDNS docs link to that as the "official" one to actual trust... so is "guessing" the current cert is right, better than just using verify-doh-cert=no & avoiding the issue? IDK...

Yes, I still get errors when importing the https://doh.opendns.com/dns-query certificate
Do you have any idea how to fix it?

What certificate can I download to test here?
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: DNS over HTTPS

Mon Aug 28, 2023 4:41 pm

Well, if OpenDNS doesn't refer to the certificate there using, there is a lower level of trust....

But I think the root certificate is here: http://apps.identrust.com/roots/TrustID ... CA_1_0.cer

I don't use regularly DOH, but in a quick test the above works. But you're downloading random files from internet based on inspection...which isn't good. The "official" roots should be in OpenDNS docs, but aren't. But this root seem to be in Safari and Chrome by default, so likely okay, but still...
 
marcelofares
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Mar 03, 2015 2:26 pm

Re: DNS over HTTPS

Mon Aug 28, 2023 7:00 pm

Well, if OpenDNS doesn't refer to the certificate there using, there is a lower level of trust....

But I think the root certificate is here: http://apps.identrust.com/roots/TrustID ... CA_1_0.cer

I don't use regularly DOH, but in a quick test the above works. But you're downloading random files from internet based on inspection...which isn't good. The "official" roots should be in OpenDNS docs, but aren't. But this root seem to be in Safari and Chrome by default, so likely okay, but still...

I believe it is now working thanks to this certificate. Where can I always get this certificate for future renewals?

Best of all, I didn't need to configure the OPEN DNS over HTTPs server in the browsers. Browsers have detected that the Network itself already has DOH enabled. As I work with an intelligent Firewall above Mikrotik, I was able to block other DOH providers avoiding cheating by smart guys. This way I can always force DOH encrypted DNS over OPENDNS on this network : )
You do not have the required permissions to view the files attached to this post.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: DNS over HTTPS

Mon Aug 28, 2023 7:08 pm

I believe it is now working thanks to this certificate. Where can I always get this certificate for future renewals?
Good question, perhaps that URL is stable and OpenDNS will continue to use them.... But I think OpenDNS just assumes that DOH clients have same Root CA's as the mainstream OSes. The Root CA was already on on my Mac at least, so no "validation" issues as TLS was from trusted root.

But since Mikrtoik starts with 0 RootCA, and OpenDNS doesn't have a link to one they use, this become tricker. Since, in theory, they could use another provide to sign their certificates in future. And they don't use EV certs either, so I'm not sure the OpenDNS DOH was designed with top-of-class security here....
 
marcelofares
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Mar 03, 2015 2:26 pm

Re: DNS over HTTPS

Mon Aug 28, 2023 7:41 pm

I believe it is now working thanks to this certificate. Where can I always get this certificate for future renewals?
Good question, perhaps that URL is stable and OpenDNS will continue to use them.... But I think OpenDNS just assumes that DOH clients have same Root CA's as the mainstream OSes. The Root CA was already on on my Mac at least, so no "validation" issues as TLS was from trusted root.

But since Mikrtoik starts with 0 RootCA, and OpenDNS doesn't have a link to one they use, this become tricker. Since, in theory, they could use another provide to sign their certificates in future. And they don't use EV certs either, so I'm not sure the OpenDNS DOH was designed with top-of-class security here....
I understood your point. But I believe that the browser notification and the LOGS where the errors stopped, the resolution is encrypted.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: DNS over HTTPS

Mon Aug 28, 2023 7:54 pm

I understood your point. But I believe that the browser notification and the LOGS where the errors stopped, the resolution is encrypted.
Fair enough. Just it remains encrypted regardless if you "verify" the certs - that just stops a man-in-the-middle. But adding a generic root CA, means any cert signed by that CA be valid just the same. IMO, this is just sloppy on Cisco part.
 
marcelofares
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Mar 03, 2015 2:26 pm

Re: DNS over HTTPS

Mon Aug 28, 2023 8:55 pm

I understood your point. But I believe that the browser notification and the LOGS where the errors stopped, the resolution is encrypted.
Fair enough. Just it remains encrypted regardless if you "verify" the certs - that just stops a man-in-the-middle. But adding a generic root CA, means any cert signed by that CA be valid just the same. IMO, this is just sloppy on Cisco part.
I agree with you. Unfortunately I didn't find any certificate from the manufacturer that didn't give error when importing to Mikrotik. So far this is working
 
Question
just joined
Posts: 2
Joined: Fri Sep 01, 2023 8:07 pm

Re: DNS over HTTPS

Sat Sep 02, 2023 12:18 am

Hi,

I have an L2TP/IPsec VPN server configured. Additionally, I use ControlD's cloud DoH service as an alternative to AdGuardHome.

DNS doesn't work when connected to VPN. i.e. does not resolve names. Both those defined manually for local services and those from the Internet. IP addresses are loading correctly. Even if I change the DNS on the client to different ones, it does not resolve the internet addresses either. Also an issue on Mikrotik's side. Not ControlD itself.

From the level of the local network, DoH works fine.

Btw. When I used AdGuardHome as an intermediary for ControlD, everything was fine. However, I decided to give it up as I managed to configure DoH on Mikrotik.

I would be very grateful for your help. Unfortunately, I died. And my knowledge of Mikrotik is not very broad.

Here are some screenshots of my configuration.

https://cloud.myhomelab.pl/s/EFqLeoEWM3CnqsL

P.S. RouterOS version latest possible, 7.11.

Who is online

Users browsing this forum: BinaryTB, rolling, rplant and 78 guests