I found a solution for the "doh server connect error network is unreachable" problem. I tested with both Google and Cloudflare DoH for over a month and this works well even with unstable PPPoE links.
Note 1: I have both IPv4 and IPv6 from my ISP1, so just remove the AAAA entry and IPv6 servers if you don't have IPv6 connectivity.
Note 2: Theoretically, ROS is supposed to use the regular servers as the fallback if the DoH fails, but that never happens, you can use invalid DoH URL to test this, and ROS will never use the regular DNS servers as fallback.
Below is the solution
set allow-remote-requests=yes query-server-timeout=100ms query-total-timeout=5s
/ip dns static
add address=220.127.116.11 name=cloudflare-dns.com type=A
add address=18.104.22.168 name=cloudflare-dns.com type=A
add address=2606:4700:4700::1001 name=ipv6a.cloudflare-dns.com type=AAAA
add address=2606:4700:4700::1111 name=ipv6b.cloudflare-dns.com type=AAAA
This is for recursive routing failover. This will help ROS know if a link is truly dead or not.
Simply remove the second gateway and ISP2 marking add route if you have only a single ISP.
add dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=to_ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-mark=to_ISP2 check-gateway=ping
add dst-address=22.214.171.124 gateway=pppoe-out1 scope=10
add dst-address=126.96.36.199 gateway=pppoe-out2 scope=10
add distance=1 gateway=188.8.131.52 routing-mark=to_ISP1 check-gateway=ping
add distance=2 gateway=184.108.40.206 routing-mark=to_ISP1 check-gateway=ping
add distance=1 gateway=220.127.116.11 routing-mark=to_ISP2 check-gateway=ping
add distance=2 gateway=18.104.22.168 routing-mark=to_ISP2 check-gateway=ping
###Don't forget to add regular default routes to each ISP###
However, these errors still show up when my ISP1 dies and ROS tries to switch over to ISP2. But the somehow, despite the errors, I could still surf the web etc without any problems through ISP2 with failover.