I ended up in a situation where the DNS forwarder of hAP ac2 running 6.47.9 will not return an A record for ssl.gstatic.com. As if the router cached something that is not visible and erasable via the DNS cache.
All this happened while I was testing DoH in 4 different networks. Testing means trying different modes (verify DoH cert or not) and different providers (Cloudflare's security and familiy, and Google). I suspect the specific host (ssl.gstatic.com) doesn't matter and it is just something that was used/requested a lot (or recently). May be other hosts records are also in this state but I cannot figure them. I was just able to notice the problem with ssl.gstatic.com because Gmail/Drive stopped working in that network.
Clearing the DNS cache, disabling remote requests, disabling DoH and putting static DNS servers - nothing seems to "reset" the issue. I don't dare to reboot that router as I want to gain more info.
Any recomendations?
Windows nslookup:
C:\Users\Username>nslookup
Default Server: UnKnown
Address: 10.xx.yy.249 (This is the IP address of the MikroTik router that is having the issue. The router is DNS, DHCP and default gateway)
> ssl.gstatic.com
Server: UnKnown
Address: 10.xx.yy.249
DNS request timed out.
timeout was 2 seconds.
Name: ssl.gstatic.com
Address: 2a00:1450:4017:80c::2003
> server 8.8.8.8
Default Server: dns.google
Address: 8.8.8.8
> ssl.gstatic.com
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
Name: ssl.gstatic.com
Addresses: 2a00:1450:4017:802::2003
216.58.214.131
>
Current DNS/DoH configuration in that router:
/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-concurrent-queries=100 max-concurrent-tcp-sessions=20 max-udp-packet-size=4096 query-server-timeout=2s query-total-timeout=10s servers="" use-doh-server=https://dns.google/dns-query verify-doh-cert=yes
/ip dns static add address=8.8.8.8 disabled=no name=dns.google ttl=5m
/ip dns static add address=8.8.4.4 disabled=no name=dns.google ttl=5m
/ip dns static add disabled=no name=use-application-dns.net ttl=5m type=NXDOMAIN