Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?

Josephny · Mon Jan 27, 2025 3:49 pm

Just wondering if the consensus is that setting up Adguard or PiHole actually makes Internet life better?

There's also NextDNS.io

Then there's just the well regarded 1.1.1.1, 9.9.9.9, and 8.8.8.8

I've played with all of these, and the ad-blocking of Adguard and Pihole made some sites unviewable.

Not at all claiming to have done an exhaustive study or to be an expert.

Wondering what most people here use and recommend.

Thanks

erlinden · Mon Jan 27, 2025 4:51 pm

You should have a look at AdList, which is part of RouterOS:
https://help.mikrotik.com/docs/spaces/R ... DNS-Adlist

It replaces my previous AdGuard and PiHole dockers (that ran on a Synology).

Josephny · Mon Jan 27, 2025 5:07 pm

You should have a look at AdList, which is part of RouterOS:
https://help.mikrotik.com/docs/spaces/R ... DNS-Adlist

It replaces my previous AdGuard and PiHole dockers (that ran on a Synology).

Built in sounds great!

Does this mean it is enabled and all set up? Any way to monitor what it is catching/blocking?

[admin@212RB5009] /ip/dns/adlist> print
Flags: X - disabled 
 0   url="https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" ssl-verify=no match-count=48 name-count=33338

erlinden · Mon Jan 27, 2025 5:15 pm

Match-count shows the number of hits on the list, this counter should be increasing.
As yours is, it is active.

I haven't found a way to log adlist specifically, you can do DNS logging temporarely (no clue what information it will provide).

Josephny · Mon Jan 27, 2025 5:16 pm

Match-count shows the number of hits on the list, this counter should be increasing.
As yours is, it is active.

I haven't found a way to log adlist specifically, you can do DNS logging temporarely (no clue what information it will provide).

Great, thanks very much.

Josephny · Mon Jan 27, 2025 5:55 pm

Less than an hour -- it is catching a lot.

Sure would be nice to know what it's blocking.

I turned on topic DNS logging, but it's way too much info for my eyes to digest.

What's interesting is this is just a private house and I'm the only one home. So, the caught ads are either from me or devices that are doing what they do all by themselves.

[admin@212RB5009] /ip/dns/adlist> print
Flags: X - disabled 
 0   url="https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" ssl-verify=no match-count=1309 name-count=33338

anav · Mon Jan 27, 2025 9:28 pm

Whats with github and stephen black? Is Mikrotik supporting this list, using this as a default?
Stated otherwise, what lists are people using, and are they trustworthy, uptodate or effective and how do you know?

Josephny · Mon Jan 27, 2025 10:41 pm

Whats with github and stephen black? Is Mikrotik supporting this list, using this as a default?
Stated otherwise, what lists are people using, and are they trustworthy, uptodate or effective and how do you know?

Sshhhh.... Steve's a big contributor the Mikrotik PAC.

anav · Mon Jan 27, 2025 10:47 pm

Yes and tomorrow, Stephen cashes in his profits from the Trump bitcoin and stops working on the list...................... how useful will it be tomorrow??
I mean lists are outacontrol...

https://raw.githubusercontent.com/Steve ... ster/hosts
https://raw.githubusercontent.com/Polis ... Dhosts.txt
https://raw.githubusercontent.com/FadeM ... Spam/hosts
https://v.firebog.net/hosts/static/w3kbl.txt
https://adaway.org/hosts.txt
https://v.firebog.net/hosts/AdguardDNS.txt
https://v.firebog.net/hosts/Admiral.txt
https://v.firebog.net/hosts/Easyprivacy.txt
https://v.firebog.net/hosts/Prigent-Ads.txt

And then there is this..........
https://github.com/mullvad/dns-blocklis ... file#lists

Which led me to here..
https://firebog.net/

See the point!!!

Josephny · Mon Jan 27, 2025 10:51 pm

Yes and tomorrow, Stephen cashes in his profits from the Trump bitcoin and stops working on the list...................... how useful will it be tomorrow??

Why in the world would he do that when he gets $0.0001 every time his list redirects a paying ad to my screen while blocking an "uncooperative" advertiser's ad from showing up?

That PAC money doesn't make itself ya know.

anav · Mon Jan 27, 2025 10:55 pm

So does MT also provide a whitelist feature to help with false positives generated by the adlist feature LOL

Amm0 · Mon Jan 27, 2025 10:57 pm

It's not it's SENDING data to Mr. Black – worse case is some random website doesn't work if something got on his list which be easily remedied. Since it's a static file, no info is leaking out from "adlist" either beyond what normal would (i.e. something NOT on the list).

I don't use any lists... but I do think the COMBO of some "adlist" with one of the protective DNS servers seems entirely reasonably.

I used OpenDNS for a long while – as a low stakes way to always do "something" about malware. But past year+ been switching newer routers to Quad9's 9.9.9.9. My only thinking is OpenDNS seems to be languishing at the backwoods of cisco, so I worry about future of it. While the Quad9 folks seemed focused on DNS and malware, and independent. Much like the original OpenDNS folks, before they were absorbed by cisco.

Also on same basis as trusting "Steven" for adlist... I watch a video from the Quad9 CEO a while back, he seemed reasonably trustworthy. And, without stereotyping too much, I'd trust the Swiss to run DNS, more than say some these Californians billionaires

.

anav · Mon Jan 27, 2025 11:02 pm

Nice AMMO. A touch of skepticism is always healthy. So just plain 9.9.9.9 no DOH etc.?

Josephny · Mon Jan 27, 2025 11:28 pm

It's not it's SENDING data to Mr. Black – worse case is some random website doesn't work if something got on his list which be easily remedied. Since it's a static file, no info is leaking out from "adlist" either beyond what normal would (i.e. something NOT on the list).

I don't use any lists... but I do think the COMBO of some "adlist" with one of the protective DNS servers seems entirely reasonably.

I used OpenDNS for a long while – as a low stakes way to always do "something" about malware. But past year+ been switching newer routers to Quad9's 9.9.9.9. My only thinking is OpenDNS seems to be languishing at the backwoods of cisco, so I worry about future of it. While the Quad9 folks seemed focused on DNS and malware, and independent. Much like the original OpenDNS folks, before they were absorbed by cisco.

Also on same basis as trusting "Steven" for adlist... I watch a video from the Quad9 CEO a while back, he seemed reasonably trustworthy. And, without stereotyping too much, I'd trust the Swiss to run DNS, more than say some these Californians billionaires .

I was just joking.

Seriously, the only reason I used that list is because that's what I saw people using in other threads.

Amm0 · Mon Jan 27, 2025 11:35 pm

Nice AMMO. A touch of skepticism is always healthy. So just plain 9.9.9.9 no DOH etc.?

Yeah. For me, no DoH...

Now I get the logic of DoH to "hide" your request - totally valid. It's just not my concern - someone, somewhere is collecting the DNS queries is my thought. So I'm not a big fan of introducing TCP's complexity (three-way handshake) into something so critical like DNS. UDP is going to be faster. Leaking some UDP DNS queries is better than potentially some oddities with DOH (either RouterOS or elsewhere) creeping up. But just my opinion.

Now one of the public DNS server knowing about "bad domains", and returning NXDOMAIN or whatnot... I do like that part as I'd rather deal with a question about why one website does not work... Than say of all DNS not working because of a bug in DOH - or a PiHole container is down.

mozerd · Tue Jan 28, 2025 9:48 am

Just wondering if the consensus is that setting up Adguard or PiHole actually makes Internet life better?

PiHole is excellent --- my Pihole currently blocks 7 million ad sites .. and its whitelisting capabilities work just great

I also strongly recommend MOAB beasue that will protect your "network" from the bad guys ... yes I am heavily predjuiced

woland · Tue Jan 28, 2025 11:05 am

I always use 9.9.9.9 as my DNS Service as it provides me basic protections from the worst malicious domains, but it provides no ad blocking and no tuning options. False positives are very rare with it and also no additional CPU cycles consumed.
I tried different block lists with my Unbound setup and I had also Bind running as my recursive Name server with blocklists. Problem is sometimes the quality of the blocklists, you don´t usually know which ones to use, to have sufficient ad blocking but not having too much false positives. It´s also hard to maintain.
I then used a PiHole setup which was great, but after testing AdGuard I found that it has a more versatile GUI and I can have better control. (Maybe Pihole improved since)
What wasn´t mentioned here: all DNS based ad blocking is by far inferior compared to the browser plugins. I use UBlock Origin everywhere, where I can. This provides the best results.
For basic protection and devices like IoT/mobile devices/TVs I still have AdGuard+Quad9, but the emerging issue is, that I can´t block DoH for those.

Josephny · Tue Jan 28, 2025 2:16 pm

I don't concern myself with using DoH, but primarily because I don't have the depth of understanding to be worried about it. My basic understanding that it encrypts DNS requests and thereby provides greater privacy, but more so that it prevents an attack coming in by way of hijacking a DNS request. (There's only so much a guy can learn and implement....)

And, I tried implementing browser-based ad protection and it was a nightmare. I personally use 6 or 7 physical devices each with a browser and some of those I frequently use 2 or 3 different browsers (Chrome, Edge, and DuckDuckGo) because they behave differently (i.e., some things and sites work on one but not another) and because the caches screw up my multiple user logins to the same services like gmail and office365. So, maintaining browser-based ad protection would be onerous and ongoing. And, the fine tuning of these ad-blockers was rediculously time-consuming.

And, generally, I place high value on simplicity of set up and a set it and leave approach.

That said, I set up the adlist and it has caught tens of thousands of requests (I don't actually know what "caught" means) and I just had my first issue:

cnbc.com complained that I am using an ad-blocker and depriving them of revenue. They asked if I could shut it off.

I think this goes to the balance, or compromise, that will inevitably be faced with these types of systems.

I'll continue using the single Stephen adlist, despite the only feedback or data I get is a complaint that I'm depriving a web site of needed revenue (as opposed to feedback that I am being spared undesired ads).

rextended · Tue Jan 28, 2025 5:00 pm

It would be enough for all users to agree and boycott the products in the EXCESSIVE advertising banners,
sending protest emails to the companies in question, and they would stop advertising in that way, knowing that it would backfire on them...

I understand those who try to earn money with what they do for free,
but there also needs to be a balance,
especially on advertising done on things for which you are already paying the subscription. (I am not referring to the internet subscription).

If "my ISP" made me pay €2.00 more per month to have internet WITHOUT advertising, I would have already signed up... (less power consumed for pihole & Co.).

Too bad that as an ISP (on Italy) I am required by law to block the sites that the government tells me to,
but at the same time I cannot prevent my customers from reaching the others...
(otherwise I would have already put the filter on all the advertising sites for my customers)...

rextended · Tue Jan 28, 2025 5:13 pm

Then in the future, and easily too
(given how people with the "security flag" start using DoH, https and other bullshit that worsen management and do not increase security at all),

I see that web pages will no longer be rendered by the browser,
but interactive images and interactive videos will arrive in which the banners will be integrated into the content and not removable by anything,
since everything will be encrypted and not modifiable on computer, like copy-protected streaming content that is uncompressed on GPU...

ToTheFull · Tue Jan 28, 2025 6:16 pm

9.9.9.9 DOH still doesn't work properly for me, I have serveral drops per day.
1.1.1.1 works a treat!

Amm0 · Tue Jan 28, 2025 6:39 pm

9.9.9.9 DOH still doesn't work properly for me, I have serveral drops per day.
1.1.1.1 works a treat!

I watched a video from the Quad9 CEO [... —] I'd trust the Swiss to run DNS, more than these Californians billionaires

FWIW Quad9 guy did another interview recently - I guess the all the tracking caused it to appear in my YouTube feed – https://www.youtube.com/watch?v=KDi0YvS ... cXVhZDk%3D

And to @rextended's points and 9.9.9.9 DoH...

A touch of skepticism is always healthy. So just plain 9.9.9.9 no DOH etc.?
Yeah. For me, no DoH...

[...] I'm not a big fan of introducing TCP's complexity (three-way handshake) into something so critical like DNS. UDP is going to be faster. Leaking some UDP DNS queries is better than potentially some oddities with DOH (either RouterOS or elsewhere) creeping up. But just my opinion. [...]

Adding also even more potentially fragile certificate checking on DoH that risk breaking stuff down the road. Apparently these DoH breakage happened sooner for @ToTheFull

.

And, on the later part of topic, for the record, I'm also not a big fan of an ANY "content filtering" - whether ads, porn, or tiktok — from the technical POV that the standard/protocols nowadays simply do not readily allow it. These modern React/etc website make it very difficult to do HTML modification on client-side, too. Just my opinion – but I'd rather see an ad than have a webpage take >100ms longer to load. And certainly don't want to hear about why other people's "web pages are slow" because I'm doing complex stuff on the network....

jollyrogr · Tue Jan 28, 2025 7:13 pm

I've been using PiHole for a number of years and it works for me. It handles the DHCP and DNS for my network too. Occasionally, I'll have to add something to a whitelist or blacklist. Also, best results are achieved when also using a good browser with a plugin like Ublock origin.

ToTheFull · Tue Jan 28, 2025 9:38 pm

@Amm0 thanks for the context and points of view, also an interesting watch!. I honestly am still using Add-Blocking to stop some older devices from being bombarded with adds mostly on News Sites etc, also advertising to me is an irritation plain and simple. So infact I could argue that things for us at least in the main are less cluttered. Faster DNS responses... No!

optio · Tue Jan 28, 2025 11:58 pm

From my experience regarding DNS privacy DoH/DoT is somewhat faster and much safer than recursive DNS on internet connection with higher latency like LTE. I have setup where Unbound is used as upstream DNS for Pihole and ROS DNS, both running in its ROS container. First Unbound was configured to be recursive DNS but I experienced high DNS response times for non cached DNS records due to my Internet connection latency, after switching to DoT it is faster.
Also I noticed that (in my country) requests to Cloudflare (1.1.1.1) and Quad9 (9.9.9.9) DoT DNS are routed to DNS servers hosted in my country and they are using upstream DNS of government agency and not acting as recursive (or they are recursive but intercepted) which raised privacy concern. Checked on several DNS leak sites. So I configured AdGuard DoT DNS (94.140.14.140:853) as Unbound upsream which is not hosted in my country and DNS leaks sites are reporting its DNS.

Josephny · Wed Jan 29, 2025 9:52 pm

Update:

After experiencing some degree of failures loading a few websites (cnbc.com, aplus.net's domain searching, and a couple of others) I decided to abandon the adlist DNS ad-blocking solutions.

This seems to be a pattern of mine: Every year or 2 I decide to do what the big boys indicate is better and smarter in this regard, and the costs/limitations/hassles are just too great.

All I have to answer to are family and guests -- I can't imagine supporting clients with an ad-blocking system (which appears to be all solutions) that breaks random web sites.

Maybe it's a full-employment thing (;-)

jbl42 · Wed Jan 29, 2025 11:37 pm

jbl42 · Wed Jan 29, 2025 11:40 pm

I had good experience with PiHole, but my personal favorite for small local DNS with or without filtering is Technitium (https://github.com/TechnitiumSoftware/DnsServer). It supports UDP/TCP, DOH with http2/3, DNS over TLS and DNS over QUIC all both as server and client. I'm running it in in both my home and my lab network in a container on a RB5009. Beside Docker/Container, it also can be natively installed on Windows, Linux, macOS and Raspberry Pi OS. I run it is a filtering forwarder to 9.9.9.9 with DOH. In my experiences the Technitium upstream DOH client is much more reliable compared to PiHole or ROS. It is very clever in reusing existing TCP connection and running upstream queries in parallel. All fully configurable.

If you run into issues with webpages or services due to DNS filtering with AdGuard/PiHole/Technitium is mostly depending on the filter lists in use. I recommend the 4 lists below, they are the ones used by uBlock origin in default configuration and a such very well maintained:

https://easylist.to/easylist/easylist.txt
https://easylist.to/easylist/easyprivacy.txt
https://malware-filter.gitlab.io/malwar ... online.txt
https://pgl.yoyo.org/adservers/serverli ... rmat=hosts

anav · Thu Jan 30, 2025 1:06 am

I do suggest you give mozerds service a try.. if just for a month, I am curious as to what your experience will be like.
I predict you would be very content.

Josephny · Thu Jan 30, 2025 1:43 am

I do suggest you give mozerds service a try.. if just for a month, I am curious as to what your experience will be like.
I predict you would be very content.

It's just not that high on my priority list.

And, just about any level of hassle is more than have the time and patience for at this point. So, even if it (or any solution) works great, there will likely still be one of two web sites that are problematic and/or require a little tweaking, configuring, or compromise.

If 9.9.9.9 is good enough for so many knowledgable people, it's good enough for me.

woland · Thu Jan 30, 2025 11:25 am

Well, blacklisting needs some time and effort until all works well. In my experience if you invest some time in the first few days to check the logs and create some exceptions, then it becomes almost completely hassle free. I need to add a new exception maybe once a year (mostly for my kids dubious games). It´s really easy to do on Pihole and and Adguard.

In contrast 9.9.9.9 has never blocked anything for me it should not have blocked.

Josephny · Thu Jan 30, 2025 1:27 pm

Well, blacklisting needs some time and effort until all works well. In my experience if you invest some time in the first few days to check the logs and create some exceptions, then it becomes almost completely hassle free. I need to add a new exception maybe once a year (mostly for my kids dubious games). It´s really easy to do on Pihole and and Adguard.

In contrast 9.9.9.9 has never blocked anything for me it should not have blocked.

This is fascinating. And confusing.

Doesn't every user regularly visit new sites? If I visit even a small handful of sites that I've never visited each week, and there were 20 such users on a network served by an ad-protected DNS system, that's 100 new sites/week.

No idea how many of those will be affected by the adlist, but even one or 2 means that every week there is tweaking to do, sometimes at the behest of a frustrated user (worst of whom would be me).

ToTheFull · Thu Jan 30, 2025 5:43 pm

I've used every kind of dns/add-blocker over the years, I think pihole was the best for DoH but I've been using Mikrotiks offering for the last 3 months.
That is DoH with Adlists, I don't need to see every detail or what people have looked @ not interested hence Adlists is fine.
Along that journey I've found hagezi's pro list https://github.com/hagezi/dns-blocklists to be the best balance for me without having to meddle.
My problem with mikrotik has been over the said period 9.9.9.9 DoH is giving me various timeout /drop issues vs cloudflare. why that is I don't know, it's just easyer for me to just use Cloudflare DoH. Am i happy with that situation, No, but it must be better than Google!
Also I use a certificate to verify the addlist, could any of this break at any time, maybe. But I only have 4 people and 20 devices to look out for.
Then again, our lot are savy enough to bang 1.1.1.1/53 at any point they wish. or shout pause please if something isn't working!

woland · Thu Jan 30, 2025 6:19 pm

This is fascinating. And confusing.

Doesn't every user regularly visit new sites? If I visit even a small handful of sites that I've never visited each week, and there were 20 such users on a network served by an ad-protected DNS system, that's 100 new sites/week.

No idea how many of those will be affected by the ad list, but even one or 2 means that every week there is tweaking to do, sometimes at the behest of a frustrated user (worst of whom would be me).

I´m not sure I get your point. The thing is, not every user visits new sites every time. Most of the traffic goes to the same sites again and again. Besides I don´t have to do anything most of the time if a user visits a new site. It will just work and most of the ads are hopefully blocked. If not a 100%, I don´t care much. Adguard is just one measure and UblockOrigin takes care about almost a 100% of annoying stuff and it almost never makes any trouble. I take action on Adguard mostly to add some white list items, seldom I do some blacklisting.
The results are not perfect, but better then just having nothing.

As for 9.9.9.9 and DoH: don´t use DoH, if you are just using it as your DNS server for your router over UDP 53 , then you will have zero issues.
Btw. I use one more trick in my network: to enforce everyone to use the same filtering, I Dst NAT every DNS request originating inside my net to my internal DNS server. That takes care of forwarding the requests over the enforced servers.

Amm0 · Thu Jan 30, 2025 6:24 pm

My problem with mikrotik has been over the said period 9.9.9.9 DoH is giving me various timeout /drop issues vs cloudflare. why that is I don't know, it's just easyer for me to just use Cloudflare DoH. Am i happy with that situation, No, but it must be better than Google!

You could file a ticket with Quad9, since Mikrotik's DoH DNS generally works, or at least not been wholesale complaints about it. There are a lot of Mikrotik in world, so they may want to know it's flake or have some idea. Long short, but worth putting on their radar: https://www.quad9.net/support/contact
i.e. Quad9 DNS does document how to setup a Mikrotik:
https://docs.quad9.net/Setup_Guides/Ope ... rypted%29/

Josephny · Thu Jan 30, 2025 7:18 pm

This is fascinating. And confusing.

Doesn't every user regularly visit new sites? If I visit even a small handful of sites that I've never visited each week, and there were 20 such users on a network served by an ad-protected DNS system, that's 100 new sites/week.

No idea how many of those will be affected by the ad list, but even one or 2 means that every week there is tweaking to do, sometimes at the behest of a frustrated user (worst of whom would be me).
I´m not sure I get your point. The thing is, not every user visits new sites every time. Most of the traffic goes to the same sites again and again. Besides I don´t have to do anything most of the time if a user visits a new site. It will just work and most of the ads are hopefully blocked. If not a 100%, I don´t care much. Adguard is just one measure and UblockOrigin takes care about almost a 100% of annoying stuff and it almost never makes any trouble. I take action on Adguard mostly to add some white list items, seldom I do some blacklisting.
The results are not perfect, but better then just having nothing.

As for 9.9.9.9 and DoH: don´t use DoH, if you are just using it as your DNS server for your router over UDP 53 , then you will have zero issues.
Btw. I use one more trick in my network: to enforce everyone to use the same filtering, I Dst NAT every DNS request originating inside my net to my internal DNS server. That takes care of forwarding the requests over the enforced servers.

My point is the likelihood of a user encoutering a site that has a problem, and thereby requiring work on my part, is too high.

In a few days of using adlist with a single list, I alone encountered several sites that had problems.

anav · Thu Jan 30, 2025 8:40 pm

Hence why I keep harping you to try just for a month a service that is used for a wide variety of users with no issues....... It may provide you sanity.

Rox169 · Fri Jan 31, 2025 5:30 pm

Hi,
I really like the Quad9 9.9.9.9 using DNS over HTTPS. I have followed their quide how to setup Mikrotik. It is working but I have daily this in log: DoH server response not OK: 502: no downstream server available

Any solution?
Thank you

Amm0 · Fri Jan 31, 2025 7:15 pm

If it's multiple people with Quad9 over DoH having issues, "someone" really should file a bug with Mikrotik and/or Quad9, if it's repo'able. Mikrotik does not always take some action from the forum. DNS is so critical to things & ideally DoH be 100% reliable... but errors in DNS often causes subtle/hard problems sometimes, so deserves some attention if it's multiple folks...

ToTheFull · Fri Jan 31, 2025 7:52 pm

I've put a Ticket in to quad9 yesterday, nothing heard so far. Will update when I get any info.
I think I've already said multiple times it works with Cloudflare DoH fine. So i guess it can't just be mikrotiks fault!

If i'm honest, yesterday wasn't the best day to put a ticket in with problems going on near me.

4everlearning · Sat Feb 01, 2025 9:40 pm

I followed Quad9's documentation (https://docs.quad9.net/Setup_Guides/Ope ... rypted%29/) [also listed above] and it was working but Netflix on my TV thought I was in a different country (Eastern European by my guess on the language). Are there any ways to fix this (direct to US servers?)?
Thanks in advance (I'm very green at this)

mozerd · Sun Feb 02, 2025 4:42 pm

I do suggest you give mozerds service a try.. if just for a month .... .... ....

MOAB has a 10 day Free Trial offer for those wishing to see MOAB deterrents at work ...
to see the free offer scroll down to near the bottom of the page that is linked above ...

And following is what my Pi-Hole looks like

Pi-Hole.jpg

mozerd · Mon Feb 03, 2025 5:09 pm

Pi-Hole picture added above showing 7 million ad sites with a 70% block rate ...

Amm0 · Mon Feb 03, 2025 6:23 pm

I followed Quad9's documentation (https://docs.quad9.net/Setup_Guides/Ope ... rypted%29/) [also listed above] and it was working but Netflix on my TV thought I was in a different country (Eastern European by my guess on the language). Are there any ways to fix this (direct to US servers?)?
Thanks in advance (I'm very green at this)

IDK. I take it you sure you don't have some VPN active or anything. But streaming sites do a lot of complex things to get you a server (or cache) close to you... so it totally could be DNS somehow involved in the "wrong country" in that case. There is a "Get Support" at bottom of the Quad9 page on Mikroitk, as suggested about, it worth a ticket if you think it's Quad9 specifically - that how these things improve. The alternative is NOT using DoH with Quad9, or using Cloudflare's DoH since that seem to get relatively good reviews, at least on performance/reliability.

576 · Fri Feb 07, 2025 7:52 pm

Hi there, have you heard back from Quad9 by any chance? I've had this same issue (various timeout/DoH server errors with 9.9.9.9 DoH) for around 8 months maybe. I also used their setup KB, though there's nothing really special or unique there. I have tried both increasing and decreasing DoH max server connections and DoH concurrent query settings. Rebooted router various times. Thought it was related to Mikrotik version at first, but the Quad9 issue has come and gone with almost every version I ran for 8 months or so I'd guess. I'm on 7.17.1 now. Changing to 1.1.1.1 DoH works fine, essentially never any issues.

Sometimes Quad9 DoH on Mikrotik works perfectly for many weeks at a time, then it gets bad (stops resolving queries), and I have to switch to 1.1.1.1 DoH. Wireshark shows TCP RST packets coming into my router from Quad9 at the time the DoH error messages show up in Mikrotik log. Sorry, I don't have pcap or exact error messages saved, I just keep switching between 1.1.1.1 and 9.9.9.9 DoH, however I do not like using 1.1.1.1 and wish Quad9 would just work.

To keep my post related to this thread: Quad9 DoH, with Mikrotik's adlist feature, is the perfect DNS solution for me personally.

I've put a Ticket in to quad9 yesterday, nothing heard so far. Will update when I get any info.
I think I've already said multiple times it works with Cloudflare DoH fine. So i guess it can't just be mikrotiks fault!

If i'm honest, yesterday wasn't the best day to put a ticket in with problems going on near me.

jbl42 · Sat Feb 08, 2025 12:04 am

Sometimes Quad9 DoH on Mikrotik works perfectly for many weeks at a time, then it gets bad (stops resolving queries),

I sometimes see the same on RB5009. One of the reasons I started to run 3rd party DNS servers in a container was to have better logging the investigate DoH issues with quad9. In the logs of my container-DNS also forwarding to quad9 with DoH, I sometimes see that quad9 suddenly starts to respond with SERVFAIL for valid DNS requests. This lasts for 10-60s, than things go back to normal. Sometimes if this happens, I also see TCP resets appearing to be from quad9. This sometimes happens twice a day, sometimes once every 3 weeks.

If this happens, it looks like the ROS forwarder gets confused and/or gives up and stops forwarding requests, even if the quad9 server is back to properly responding again. Most of the times it recovers on its own, but sometimes it doesn't and DNS forwarding stops working.
For me, what makes ROS forwarder working again immediately, is to disable "Allow Remote Requests" and renable it again in DNS settings.

I could not find reports about this and always suspected it to be caused by some middlebox or similar in my ISPs network or uplink.
One would expect to find reports about this if it would be a common issue with quad9. At least that's what I thought.

mke · Sat Feb 08, 2025 1:02 pm

Does DOH actually work these days? I tried it on and off for years with nextdns and would always have drops every few hours with the same log messages as discussed on the nextdns forum post below. It has also been brought up here various times, I just assumed it was one of those known problems that would never be fixed (like ipv6 connections table never working in webfig, which afaik is still the case).

https://help.nextdns.io/t/m1h0aqr/doh-m ... tion-error

ToTheFull · Sat Feb 08, 2025 4:15 pm

Yes DoH/Adlist works fine for me using Cloudflare.

For those waiting for my response from Quad9, it hasn't happened. ticket No 39674 if you lot wish to give your thoughts to Quad9.
I gave up the will... meaning I'm now back on Cloudflare with no errors!

Amm0 · Sat Feb 08, 2025 7:05 pm

Yes DoH/Adlist works fine for me using Cloudflare.

For those waiting for my response from Quad9, it hasn't happened. ticket No 39674

Well, still information... Just not good information. I'd imagine they have less folks than Mikrotik, and trying to run geo-redundant servers independently – not an easy problem. And these multi-vendor interop things are always tough - as "it ain't my problem" often comes from both sides.

576 · Mon Feb 10, 2025 7:01 pm

For those waiting for my response from Quad9, it hasn't happened. ticket No 39674 if you lot wish to give your thoughts to Quad9.
I gave up the will... meaning I'm now back on Cloudflare with no errors!

Thanks for replying!

For me, what makes ROS forwarder working again immediately, is to disable "Allow Remote Requests" and renable it again in DNS settings.

This is one thing I have not tried, I will try it next time the errors pop up. But I would think rebooting the router would be the same, unless there is something special going on when that checkbox is flipped. Otherwise, when Quad9 is misbehaving, rebooting the router makes no difference I've noticed. That's when I switch to Cloudflare for a day or two before going back to Quad9.

ToTheFull · Mon Feb 10, 2025 8:25 pm

ok, we have a little movement from quad9, they replied and asked a few basic questions. IP and dns server location provided!
So let me be as transparent as I can be from my end. I made some smokeping graphs on a quad-core cpu to monitor my gateway/modem/router and another downstream monitor from a reliable local firebrick which I will share. Also within a few hours of moving back to Quad9 @11:45am this morning I had a drop. I've been on Cloudflare all weekend with Zero drops.

jbl42 · Tue Feb 11, 2025 2:05 am

I just had another "DNS outage" and today evening caused by many DoH requests to quad9 timing out. My DNS server log is full of timed out entries like

DnsClient failed to resolve the request '<some.host.com>. A IN': request timed out for name servers [https://dns.quad9.net/dns-query (9.9.9.9), https://dns.quad9.net/dns-query (149.112.112.112)].

I see the same on PowerDNS and technitium-dns servers and also on ROS DNS forwarder. Sometimes quad9 works several weeks without issue, than suddenly there are a few hours with frequent connection problems. So I think we can state it's not a ROS problem, but something on the quad9 DoH end.
Same as you, Cloudflare DoH works "forever" without a single hiccup. And I would also prefer to use quad9, because naive as I probably am, I trust them more than Clouflare. But its just not reliable enough.

Edit:
The quad9 reddit has several reports from all over the world about intermittent slow resolution times and timeouts in the last day/weeks
https://www.reddit.com/r/Quad9/

ToTheFull · Mon Feb 24, 2025 1:40 pm

I don't have a now and then problem. It's an all the time problem on quad9

Downstream graphs from a firebrick at the bottom.
# 2025-02-23 11:45:23 by RouterOS 7.17.2
# software id = 
#
 2025-02-11 17:12:18 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-11 18:21:13 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-11 18:47:18 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-11 18:48:38 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-11 19:09:46 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-11 20:16:12 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-11 22:37:12 dns,warning DoH server response not OK: 502: no downstream server available
 2025-02-12 17:25:15 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-12 17:42:32 dns,warning DoH server response not OK: 502: no downstream server available
 2025-02-12 18:06:17 dns,warning DoH server response not OK: 502: no downstream server available
 2025-02-12 18:06:29 dns,warning DoH server response not OK: 502: no downstream server available
 2025-02-12 18:07:55 dns,warning DoH server response not OK: 502: no downstream server available
 2025-02-12 18:07:57 dns,warning DoH server response not OK: 502: no downstream server available [ignoring repeated messages]
 2025-02-12 21:26:14 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-13 04:05:11 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-13 07:24:11 dns,warning DoH server response not OK: 502: no downstream server available
 2025-02-13 07:26:46 dns,warning DoH server response not OK: 502: no downstream server available
 2025-02-13 17:08:28 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-13 17:22:38 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-13 18:46:28 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-13 18:48:15 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-13 19:55:56 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-13 20:10:30 dns,warning DoH server response not OK: 502: no downstream server available
 2025-02-13 20:10:30 dns,warning DoH server response not OK: 502: no downstream server available [ignoring repeated messages]
 2025-02-13 20:10:41 dns,warning DoH server response not OK: 502: no downstream server available
 2025-02-14 19:00:44 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-14 19:38:19 dns,warning DoH server response not OK: 502: no downstream server available
 2025-02-14 19:47:47 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-15 06:24:16 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-15 06:25:00 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-15 06:52:25 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-15 06:55:26 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-15 06:57:16 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-15 06:58:26 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-15 07:20:05 dns,error DoH server connection error: while reading - Connection reset by peer
 2025-02-15 07:20:05 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-15 11:33:24 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-15 11:38:20 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-15 12:02:32 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-15 17:02:16 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-15 18:41:31 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-15 19:00:51 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-15 19:01:40 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-15 19:27:53 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-15 19:27:53 dns,error DoH server connection error: remote disconnected while in HTTP exchange [ignoring repeated messages]
 2025-02-15 20:45:36 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-15 22:36:40 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-16 05:57:40 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-16 05:57:40 dns,error DoH server connection error: remote disconnected while in HTTP exchange [ignoring repeated messages]
 2025-02-16 10:20:49 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-16 10:22:59 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-16 14:23:13 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-16 14:23:13 dns,error DoH server connection error: remote disconnected while in HTTP exchange [ignoring repeated messages]
 2025-02-16 17:36:37 dns,warning DoH server response not OK: 502: no downstream server available
 2025-02-16 17:38:04 dns,warning DoH server response not OK: 502: no downstream server available
 2025-02-16 19:14:37 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-16 19:42:35 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-16 20:26:05 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-16 21:46:22 dns,warning DoH server response not OK: 502: no downstream server available
 2025-02-16 21:57:30 dns,warning DoH server response not OK: 502: no downstream server available
 2025-02-16 21:58:55 dns,warning DoH server response not OK: 502: no downstream server available
 2025-02-16 22:06:12 dns,warning DoH server response not OK: 502: no downstream server available
 2025-02-16 22:06:12 dns,warning DoH server response not OK: 502: no downstream server available [ignoring repeated messages]
 2025-02-16 22:22:13 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-17 07:33:40 dns,warning DoH server response not OK: 502: no downstream server available
 2025-02-17 07:33:51 dns,warning DoH server response not OK: 502: no downstream server available
 2025-02-17 12:50:19 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-17 15:37:40 dns,warning DoH server response not OK: 502: no downstream server available
 2025-02-17 15:37:42 dns,warning DoH server response not OK: 502: no downstream server available [ignoring repeated messages]
 2025-02-17 15:37:53 dns,warning DoH server response not OK: 502: no downstream server available
 2025-02-17 16:04:14 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-17 17:10:23 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-17 18:07:51 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-17 19:07:14 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-17 19:12:25 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-17 19:12:25 dns,error DoH server connection error: remote disconnected while in HTTP exchange [ignoring repeated messages]
 2025-02-17 20:27:36 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-17 20:33:22 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-17 20:49:10 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-17 22:51:48 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-17 23:13:00 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-18 05:53:06 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-18 06:25:24 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-18 18:10:34 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-18 18:10:39 dns,error DoH server connection error: remote disconnected while in HTTP exchange [ignoring repeated messages]
 2025-02-18 19:31:34 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-18 21:34:23 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-18 23:09:49 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-18 23:09:54 dns,error DoH server connection error: Idle timeout - connecting [ignoring repeated messages]
 2025-02-18 23:10:55 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-18 23:10:55 dns,error DoH server connection error: Idle timeout - connecting [ignoring repeated messages]
 2025-02-18 23:11:52 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-18 23:11:52 dns,error DoH server connection error: Idle timeout - connecting [ignoring repeated messages]
 2025-02-18 23:12:59 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-18 23:13:23 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-18 23:13:23 dns,error DoH server connection error: Idle timeout - connecting [ignoring repeated messages]
 2025-02-18 23:13:34 dns,error DoH server connection error: SSL: internal error (6)
 2025-02-18 23:13:40 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-18 23:13:41 dns,error DoH server connection error: Idle timeout - connecting [ignoring repeated messages]
 2025-02-18 23:13:51 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-18 23:13:54 dns,error DoH server connection error: Idle timeout - connecting [ignoring repeated messages]
 2025-02-18 23:14:05 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-18 23:14:29 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-18 23:14:52 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-18 23:14:52 dns,error DoH server connection error: Idle timeout - connecting [ignoring repeated messages]
 2025-02-18 23:15:02 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-18 23:15:07 dns,error DoH server connection error: Idle timeout - connecting [ignoring repeated messages]
 2025-02-18 23:15:17 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-18 23:15:21 dns,error DoH server connection error: Idle timeout - connecting [ignoring repeated messages]
 2025-02-18 23:15:45 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-18 23:15:57 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-18 23:15:58 dns,error DoH server connection error: Idle timeout - connecting [ignoring repeated messages]
 2025-02-18 23:16:22 dns,error DoH server connection error: SSL: handshake timed out (6)
 2025-02-18 23:16:52 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-18 23:17:12 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-18 23:17:32 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-18 23:18:25 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-18 23:18:31 dns,error DoH server connection error: Idle timeout - connecting [ignoring repeated messages]
 2025-02-18 23:18:38 dns,error DoH server connection error: Connection refused
 2025-02-18 23:19:00 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-18 23:19:00 dns,error DoH server connection error: Idle timeout - connecting [ignoring repeated messages]
 2025-02-18 23:19:39 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-18 23:19:59 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-18 23:20:08 dns,error DoH server connection error: Idle timeout - connecting [ignoring repeated messages]
 2025-02-18 23:20:09 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-18 23:20:22 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-18 23:20:25 dns,error DoH server connection error: Idle timeout - connecting [ignoring repeated messages]
 2025-02-18 23:20:43 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-18 23:21:28 dns,error DoH server connection error: Idle timeout - connecting
 2025-02-19 09:42:18 dns,warning DoH server response not OK: 502: no downstream server available
 2025-02-19 14:17:31 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-19 15:56:32 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-19 20:12:03 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-20 09:29:24 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-20 18:01:01 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-20 23:20:27 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-20 23:29:57 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-20 23:44:23 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-21 18:42:23 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-21 20:43:10 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-21 22:24:40 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-21 23:51:11 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-22 01:02:07 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-22 07:46:35 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-22 09:14:13 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-22 09:46:33 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-22 10:59:25 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-22 16:43:41 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-22 17:18:00 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-22 17:47:46 dns,error DoH server connection error: while sending - Broken pipe
 2025-02-22 19:16:43 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-22 19:31:03 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-22 19:31:03 dns,error DoH server connection error: remote disconnected while in HTTP exchange [ignoring repeated messages]
 2025-02-22 20:03:53 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-22 21:33:50 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-23 08:41:50 dns,error DoH server connection error: remote disconnected while in HTTP exchange
 2025-02-23 11:34:06 dns,error DoH server connection error: remote disconnected while in HTTP exchange