Community discussions

MikroTik App
 
ak4020
newbie
Topic Author
Posts: 27
Joined: Mon Mar 23, 2020 11:35 am

DoH Problem

Thu Oct 14, 2021 5:41 pm

hello everyone, since a few days the DoH no longer works and we are at a loss because we have changed nothing on the doh server component but routeros no longer works without apparent error, would be very grateful for help.


16:37:16 dns,packet --- got query from 192.168.43.17:51958:
16:37:16 dns,packet id:f511 rd:1 tc:0 aa:0 qr:0 ra:0 QUERY 'no error' 2
16:37:16 dns,packet question: orf.at:A:IN
16:37:16 dns,packet additional:
16:37:16 dns,packet <:UNKNOWN (41):0=rawbytes:0>
16:37:16 dns query from 192.168.43.17: #1 orf.at. A
16:37:16 dns local query: #2 doh.blueshield.io. A
16:37:16 dns,packet --- sending udp query to 83.164.130.117:53:
16:37:16 dns,packet id:91ab rd:1 tc:0 aa:0 qr:0 ra:0 QUERY 'no error'
16:37:16 dns,packet question: doh.blueshield.io:A:IN
16:37:16 dns local query: #3 doh.blueshield.io. AAAA
16:37:16 dns,packet --- sending udp query to 83.164.130.117:53:
16:37:16 dns,packet id:7dc0 rd:1 tc:0 aa:0 qr:0 ra:0 QUERY 'no error'
16:37:16 dns,packet question: doh.blueshield.io:AAAA:IN
16:37:16 dns,packet --- got answer from 83.164.130.117:53:
16:37:16 dns,packet id:91ab rd:1 tc:0 aa:0 qr:1 ra:1 QUERY 'no error'
16:37:16 dns,packet question: doh.blueshield.io:A:IN
16:37:16 dns,packet answer:
16:37:16 dns,packet <doh.blueshield.io:A:3=83.164.130.119>
16:37:16 dns,packet <doh.blueshield.io:A:3=83.164.146.248>
16:37:16 dns,packet <doh.blueshield.io:A:3=83.164.146.249>
16:37:16 dns,packet <doh.blueshield.io:A:3=83.164.146.247>
16:37:16 dns done query: #2 doh.blueshield.io 83.164.130.119
16:37:16 dns,packet --- got answer from 83.164.130.117:53:
16:37:16 dns,packet id:7dc0 rd:1 tc:0 aa:0 qr:1 ra:1 QUERY 'no error'
16:37:16 dns,packet question: doh.blueshield.io:AAAA:IN
16:37:16 dns,packet authority:
16:37:16 dns,packet <blueshield.io:SOA:1825=serial:2038586256 refresh:10000 retry:2400 expire:604800 min:3600 >
16:37:16 dns done query: #3 dns name exists, but no appropriate record
16:37:16 dns done query: #1 dns server failure
16:37:16 dns,packet --- sending reply to 192.168.43.17:51958:
16:37:16 dns,packet id:f511 rd:1 tc:0 aa:0 qr:1 ra:1 QUERY 'server failure'
16:37:16 dns,packet question: orf.at:A:IN
16:37:17 dns,packet --- got query from 192.168.43.17:19429:
16:37:17 dns,packet id:2253 rd:1 tc:0 aa:0 qr:0 ra:0 QUERY 'no error' 2
16:37:17 dns,packet question: orf.at:A:IN
16:37:17 dns,packet additional:
16:37:17 dns,packet <:UNKNOWN (41):0=rawbytes:0>
16:37:17 dns query from 192.168.43.17: #4 orf.at. A
16:37:17 dns done query: #4 dns server failure
16:37:17 dns,packet --- sending reply to 192.168.43.17:19429:
16:37:17 dns,packet id:2253 rd:1 tc:0 aa:0 qr:1 ra:1 QUERY 'server failure'
16:37:17 dns,packet question: orf.at:A:IN
16:37:17 dns,packet --- got query from 192.168.43.17:33506:
16:37:17 dns,packet id:8d54 rd:1 tc:0 aa:0 qr:0 ra:0 QUERY 'no error' 2
16:37:17 dns,packet question: orf.at:A:IN
16:37:17 dns,packet additional:
16:37:17 dns,packet <:UNKNOWN (41):0=rawbytes:0>
16:37:17 dns query from 192.168.43.17: #5 orf.at. A
16:37:17 dns local query: #6 doh.blueshield.io. A
16:37:17 dns done query: #6 doh.blueshield.io 83.164.146.248
16:37:17 dns local query: #7 doh.blueshield.io. AAAA
16:37:17 dns,packet --- sending udp query to 83.164.130.117:53:
16:37:17 dns,packet id:cf74 rd:1 tc:0 aa:0 qr:0 ra:0 QUERY 'no error'
16:37:17 dns,packet question: doh.blueshield.io:AAAA:IN
16:37:17 dns,packet --- got answer from 83.164.130.117:53:
16:37:17 dns,packet id:cf74 rd:1 tc:0 aa:0 qr:1 ra:1 QUERY 'no error'
16:37:17 dns,packet question: doh.blueshield.io:AAAA:IN
16:37:17 dns,packet authority:
16:37:17 dns,packet <blueshield.io:SOA:1824=serial:2038586256 refresh:10000 retry:2400 expire:604800 min:3600 >
16:37:17 dns done query: #7 dns name exists, but no appropriate record
16:37:18 dns done query: #5 dns server failure
16:37:18 dns,packet --- sending reply to 192.168.43.17:33506:
16:37:18 dns,packet id:8d54 rd:1 tc:0 aa:0 qr:1 ra:1 QUERY 'server failure'
16:37:18 dns,packet question: orf.at:A:IN
16:37:54 system,info supout.rif file created by admin
16:37:56 dns,packet --- got query from 192.168.43.17:47054:
16:37:56 dns,packet id:b400 rd:1 tc:0 aa:0 qr:0 ra:0 QUERY 'no error' 2
16:37:56 dns,packet question: orf.at:A:IN
16:37:56 dns,packet additional:
16:37:56 dns,packet <:UNKNOWN (41):0=rawbytes:0>
16:37:56 dns query from 192.168.43.17: #8 orf.at. A
16:37:56 dns done query: #8 dns server failure
16:37:56 dns,packet --- sending reply to 192.168.43.17:47054:
16:37:56 dns,packet id:b400 rd:1 tc:0 aa:0 qr:1 ra:1 QUERY 'server failure'
16:37:56 dns,packet question: orf.at:A:IN
 
cdoyle4785
just joined
Posts: 6
Joined: Mon Apr 17, 2017 6:58 am

Re: DoH Problem

Sun Oct 24, 2021 4:05 pm

How does your DoH work if you try another provider temporarily?

Are your certificates up to date?

can you export the relative DoH settings sections?
/ip dns export
 
cdoyle4785
just joined
Posts: 6
Joined: Mon Apr 17, 2017 6:58 am

Re: DoH Problem

Sun Oct 24, 2021 4:20 pm

Something like this might be what you need:


/ip dns
set servers=9.9.9.9
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/tool fetch url=https://cacerts.digicert.com/DigiCertGl ... CA.crt.pem
/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=" "
/ip dns
set servers=""
set allow-remote-requests=yes use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes

/system reboot
 
ak4020
newbie
Topic Author
Posts: 27
Joined: Mon Mar 23, 2020 11:35 am

Re: DoH Problem

Mon Oct 25, 2021 8:51 am

hi, certificates are all imported - I think it's a get/post request problem and am waiting for the specification from mikrotik....with our server with previous firmware has work finke..it remains exciting, but as soon as we have found out something new I will of course post it...quad9 is not an option when I run myself doh server the work fine with all browsers, iOS etc ....cheers alois
 
ak4020
newbie
Topic Author
Posts: 27
Joined: Mon Mar 23, 2020 11:35 am

Re: DoH Problem

Mon Oct 25, 2021 11:22 am

hi all, we have found the error routeros makes a post request and currently has a non rfc compliant offset flag und the korrekt header was: "application/dns-message" routeros send no header. cheers alois

Who is online

Users browsing this forum: Semrush [Bot] and 46 guests