Please, can you advise if I have discovered a bug and I should report it.

I ended up in a situation where the DNS forwarder of hAP ac2 running 6.47.9 will not return an A record for ssl.gstatic.com. As if the router cached something that is not visible and erasable via the DNS cache.

All this happened while I was testing DoH in 4 different networks. Testing means trying different modes (verify DoH cert or not) and different providers (Cloudflare's security and familiy, and Google). I suspect the specific host (ssl.gstatic.com) doesn't matter and it is just something that was used/requested a lot (or recently). May be other hosts records are also in this state but I cannot figure them. I was just able to notice the problem with ssl.gstatic.com because Gmail/Drive stopped working in that network.

Clearing the DNS cache, disabling remote requests, disabling DoH and putting static DNS servers - nothing seems to "reset" the issue. I don't dare to reboot that router as I want to gain more info.

Any recomendations?

Windows nslookup:

C:\Users\Username>nslookup
Default Server: UnKnown
Address: 10.xx.yy.249 (This is the IP address of the MikroTik router that is having the issue. The router is DNS, DHCP and default gateway)

> ssl.gstatic.com
Server: UnKnown
Address: 10.xx.yy.249

DNS request timed out.
timeout was 2 seconds.
Name: ssl.gstatic.com
Address: 2a00:1450:4017:80c::2003

> server 8.8.8.8
Default Server: dns.google
Address: 8.8.8.8

> ssl.gstatic.com
Server: dns.google
Address: 8.8.8.8

Non-authoritative answer:
Name: ssl.gstatic.com
Addresses: 2a00:1450:4017:802::2003
216.58.214.131

>

Current DNS/DoH configuration in that router:

/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-concurrent-queries=100 max-concurrent-tcp-sessions=20 max-udp-packet-size=4096 query-server-timeout=2s query-total-timeout=10s servers="" use-doh-server=https://dns.google/dns-query verify-doh-cert=yes

/ip dns static add address=8.8.8.8 disabled=no name=dns.google ttl=5m
/ip dns static add address=8.8.4.4 disabled=no name=dns.google ttl=5m

/ip dns static add disabled=no name=use-application-dns.net ttl=5m type=NXDOMAIN

Are you sure the "unchanged result" when changing things in your router is really reflecting the new situation in the router?
A Windows system will "cache" earlier replies and will show the same result without asking again.
You can use "ipconfig /flushdns" between your attempts to flush that cache.

Thank for replying @pe1chl.

I did clear the cache on MacOS, Win10 and Linux... rebooting as well. It took me several hours to figure out what is happening.

If someone gives me a source IP I can enable access to udp/53 to my router so that he can test himself.

The nslookup shown above doesn't use the cache, as well.

Ok I should say I never attempted to fiddle with that DoH thing as I have no use for it (I trust my ISP more than I trust Google) and I have seen enough indications that its implementation is buggy.
When you want to help fix it make a supout.rif and make a ticket at MikroTik or mail it to support.

So I just moved my DNS queries to my MT units and use DoH to NextDNS and I do not have a issue resolving this.

> ssl.gstatic.com
Server: UnKnown
Address: x.x.x.x

Non-authoritative answer:
Name: ssl.gstatic.com
Addresses: 2a00:1450:400f:804::2003
142.250.74.131

But I'm not using Google DNS service to resolve.