Community discussions

MikroTik App
 
souravmaiti
just joined
Topic Author
Posts: 2
Joined: Wed Apr 22, 2020 9:06 am

DNS over HTTPS

Wed Apr 22, 2020 9:10 am

Mikrotik 6.47 has been introduced long awaited DoH.
But when I put any DoH server (for example https://cloudflare-dns.com/dns-query ) it gives error
DoH Connection Error, Idle Timeout.

Any clue ?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24560
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Wed Apr 22, 2020 9:25 am

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""
No answer to your question? How to write posts
 
souravmaiti
just joined
Topic Author
Posts: 2
Joined: Wed Apr 22, 2020 9:06 am

Re: DNS over HTTPS

Wed Apr 22, 2020 11:21 am

Any guide for Google DoH settings ?
 
msatter
Forum Guru
Forum Guru
Posts: 1633
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Wed Apr 22, 2020 11:24 am

For Google you still a first resolve through a normal DNS or it will not know how to reach the DOH of Google. Cloudflare used a trick to by putting 1.1.1.1 as alternative name in their certificate.
Last edited by msatter on Wed Apr 22, 2020 11:26 am, edited 1 time in total.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. 4011 Does PPPoE/IKEv2.
Running:
RouterOS 6.47 / Winbox 3.24 / MikroTik APP 1.3.12
NordVPN viewtopic.php?f=2&t=158439&p=781009 for multiple connections.
 
User avatar
eworm
Long time Member
Long time Member
Posts: 574
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: DNS over HTTPS

Wed Apr 22, 2020 11:26 am

Do the same, but with different url: https://8.8.8.8/dns-query
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
eworm
Long time Member
Long time Member
Posts: 574
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: DNS over HTTPS

Wed Apr 22, 2020 11:32 am

Uh, google does a redirect there... So use this:
/ip dns static add address=8.8.8.8 name=dns.google
/ip dns static add address=8.8.4.4 name=dns.google
/ip dns set use-doh-server=https://dns.google/dns-query verify-doh-cert=yes
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24560
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Wed Apr 22, 2020 11:45 am

He either should turn off the certificate check, or find google certificates.
Also it's not correct to use DNS name in the DNS server address
No answer to your question? How to write posts
 
User avatar
eworm
Long time Member
Long time Member
Posts: 574
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: DNS over HTTPS

Wed Apr 22, 2020 11:57 am

The file you linked includes the certificates required for google services, no?
So my commands were intended on top of yours.

I think it's not possible to use google DoH without DNS name in url. Or do you have a working one with ip address?
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1625
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: DNS over HTTPS

Wed Apr 22, 2020 12:20 pm

I just added this to Use Doh Server
https://1.1.1.1/dns-query
I think its better to use IP only, so you do not need extra DNS server, to just resolve the DoH server
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
eworm
Long time Member
Long time Member
Posts: 574
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: DNS over HTTPS

Wed Apr 22, 2020 1:21 pm

Yes, that's true in general and for Cloudflare. But google does not allow to use https://8.8.8.8/dns-query directly. It sends a redirect in HTTP header to https://dns.google/dns-query.

Well, checking again... It does send a redirect, but the dns response is contained as well...
% curl -I 'https://8.8.8.8/dns-query?dns=AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE'
HTTP/2 301 
location: https://dns.google/dns-query?dns=AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE
content-type: text/html; charset=UTF-8
x-content-type-options: nosniff
date: Wed, 22 Apr 2020 08:29:24 GMT
expires: Thu, 23 Apr 2020 08:29:24 GMT
server: sffe
content-length: 269
x-xss-protection: 0
cache-control: public, max-age=86400
age: 6656
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,h3-T050=":443"; ma=2592000
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
msatter
Forum Guru
Forum Guru
Posts: 1633
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNS over HTTPS

Wed Apr 22, 2020 1:57 pm

Uh, google does a redirect there... So use this:
/ip dns static add address=8.8.8.8 name=dns.google
/ip dns static add address=8.8.4.4 name=dns.google
/ip dns set use-doh-server=https://dns.google/dns-query verify-doh-cert=yes
Maybe this can be combined to a bootstrap IP. Also adding the direct IP in the DOH setting used only (once) to bootstrap the DoH. No need for static then.

Leaves the problem with the certificate not being retrieved on it own.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. 4011 Does PPPoE/IKEv2.
Running:
RouterOS 6.47 / Winbox 3.24 / MikroTik APP 1.3.12
NordVPN viewtopic.php?f=2&t=158439&p=781009 for multiple connections.
 
sohel07
just joined
Posts: 13
Joined: Sun Oct 20, 2019 11:26 pm

Re: DNS over HTTPS

Sat May 23, 2020 7:09 pm

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""
But I unable to access the internet until I set a DNS.
 
anav
Forum Guru
Forum Guru
Posts: 4261
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: DNS over HTTPS

Sat May 23, 2020 7:22 pm

Okay after some reading my questions boil down to
Q. Advantage of MT router implementation over simply using firefox?
- it covers any browser being used?

Why not make Doh, part of the default setup for routers coming from the factory??

Right now for dynamic servers I have listed in order 1.1.1.1, 1.0.0.1, 9.9.9.9
Do I have to remove th third entry 9.9.9.9 (will it eff up the plan)?

There is no such entry as /IP system NTP client.
(System is a separate entry and what it has is an SNTP client which I use to provide time.).

Okay so maybe I am missing a NTP package? Do I need it or can I use the sntp module??

Okay So I loaded the NTP package. Do I keep the current sntp setup (designed for time only) assuming this NTP setup is for DoH??
Last edited by anav on Sat May 23, 2020 8:35 pm, edited 1 time in total.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
vortex
Forum Guru
Forum Guru
Posts: 1095
Joined: Sat Feb 16, 2013 6:10 pm

Re: DNS over HTTPS

Sat May 23, 2020 8:09 pm

How could it be the default if you don't know which service you can trust?
 
dave864
just joined
Posts: 22
Joined: Fri Mar 11, 2016 2:37 pm

Re: DNS over HTTPS

Sun May 24, 2020 5:11 pm

This is great news.
Does anyone know the url to fetch the google cert?
 
foolbaby
just joined
Posts: 12
Joined: Sun Feb 07, 2010 5:02 pm

Re: DNS over HTTPS

Tue May 26, 2020 2:04 pm

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""
thanks, its work but sometimes it gives error :
15:28:41 dns,error DoH server connection error: remote disconnected while in HTTP exchange
15:29:37 dns,error DoH server connection error: SSL: std failure: timeout (13)
15:29:42 dns,error DoH server connection error: SSL: handshake timed out (6)
15:29:42 dns,error DoH server connection error: SSL: internal error (6)
15:29:42 dns,error DoH server connection error: Idle timeout - connecting
17:52:53 dns,error DoH server connection error: Idle timeout - waiting data

i hope DoH gets better in the next release
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24560
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS over HTTPS

Tue May 26, 2020 2:47 pm

can you ping the DoH server?
No answer to your question? How to write posts
 
foolbaby
just joined
Posts: 12
Joined: Sun Feb 07, 2010 5:02 pm

Re: DNS over HTTPS

Tue May 26, 2020 2:50 pm

can you ping the DoH server?
yes it can ping.
but its happen sometimes . its just new setup. still on monitoring.
 
TheDoctor
just joined
Posts: 4
Joined: Wed Dec 18, 2019 10:52 am

Re: DNS over HTTPS

Tue May 26, 2020 7:28 pm

/ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes

expected end of command (line 1 column 12)

is there any solution, please, for 6.46.6 ?
 
User avatar
eworm
Long time Member
Long time Member
Posts: 574
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: DNS over HTTPS

Tue May 26, 2020 8:06 pm

This is not supposed in 6.46.6. You have to use 6.47 for that feature.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1625
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: DNS over HTTPS

Tue May 26, 2020 8:48 pm

And 6.47 is still in testing :)
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
foolbaby
just joined
Posts: 12
Joined: Sun Feb 07, 2010 5:02 pm

Re: DNS over HTTPS

Tue May 26, 2020 9:11 pm

can you ping the DoH server?
maybe this is the problem.
or maybe my router is to old :D lol
the cpu gets down when i disable the nat for transparent dns.
and what is the meaning of this warning logs ?
may/27 01:04:34 dns,warning DoH max concurrent queries reached, ignoring query 
You do not have the required permissions to view the files attached to this post.
 
TheDoctor
just joined
Posts: 4
Joined: Wed Dec 18, 2019 10:52 am

Re: DNS over HTTPS

Tue May 26, 2020 9:52 pm

And 6.47 is still in testing :)

is it possible to talk about some release dates according to 6.47 or it is extremely premature ?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1625
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: DNS over HTTPS

Tue May 26, 2020 10:00 pm

6.47 RC was just released over here: viewtopic.php?f=21&t=161583
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 

Who is online

Users browsing this forum: alfred998, Google [Bot], jebz, nickshore and 66 guests