DNS over HTTPS

souravmaiti · Wed Apr 22, 2020 9:10 am

Mikrotik 6.47 has been introduced long awaited DoH.
But when I put any DoH server (for example https://cloudflare-dns.com/dns-query ) it gives error
DoH Connection Error, Idle Timeout.

Any clue ?

Wed Apr 22, 2020 9:25 am

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""

souravmaiti · Wed Apr 22, 2020 11:21 am

Any guide for Google DoH settings ?

msatter · Wed Apr 22, 2020 11:24 am

For Google you still a first resolve through a normal DNS or it will not know how to reach the DOH of Google. Cloudflare used a trick to by putting 1.1.1.1 as alternative name in their certificate.

eworm · Wed Apr 22, 2020 11:26 am

Do the same, but with different url: https://8.8.8.8/dns-query

eworm · Wed Apr 22, 2020 11:32 am

Uh, google does a redirect there... So use this:

/ip dns static add address=8.8.8.8 name=dns.google
/ip dns static add address=8.8.4.4 name=dns.google
/ip dns set use-doh-server=https://dns.google/dns-query verify-doh-cert=yes

Wed Apr 22, 2020 11:45 am

He either should turn off the certificate check, or find google certificates.
Also it's not correct to use DNS name in the DNS server address

eworm · Wed Apr 22, 2020 11:57 am

The file you linked includes the certificates required for google services, no?
So my commands were intended on top of yours.

I think it's not possible to use google DoH without DNS name in url. Or do you have a working one with ip address?

Jotne · Wed Apr 22, 2020 12:20 pm

I just added this to Use Doh Server

https://1.1.1.1/dns-query

I think its better to use IP only, so you do not need extra DNS server, to just resolve the DoH server

eworm · Wed Apr 22, 2020 1:21 pm

Yes, that's true in general and for Cloudflare. But google does not allow to use https://8.8.8.8/dns-query directly. It sends a redirect in HTTP header to https://dns.google/dns-query.

Well, checking again... It does send a redirect, but the dns response is contained as well...

% curl -I 'https://8.8.8.8/dns-query?dns=AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE'
HTTP/2 301 
location: https://dns.google/dns-query?dns=AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE
content-type: text/html; charset=UTF-8
x-content-type-options: nosniff
date: Wed, 22 Apr 2020 08:29:24 GMT
expires: Thu, 23 Apr 2020 08:29:24 GMT
server: sffe
content-length: 269
x-xss-protection: 0
cache-control: public, max-age=86400
age: 6656
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,h3-T050=":443"; ma=2592000

msatter · Wed Apr 22, 2020 1:57 pm

Uh, google does a redirect there... So use this:

/ip dns static add address=8.8.8.8 name=dns.google
/ip dns static add address=8.8.4.4 name=dns.google
/ip dns set use-doh-server=https://dns.google/dns-query verify-doh-cert=yes

Maybe this can be combined to a bootstrap IP. Also adding the direct IP in the DOH setting used only (once) to bootstrap the DoH. No need for static then.

Leaves the problem with the certificate not being retrieved on it own.

sohel07 · Sat May 23, 2020 7:09 pm

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""

But I unable to access the internet until I set a DNS.

anav · Sat May 23, 2020 7:22 pm

Okay after some reading my questions boil down to
Q. Advantage of MT router implementation over simply using firefox?
- it covers any browser being used?

Why not make Doh, part of the default setup for routers coming from the factory??

Right now for dynamic servers I have listed in order 1.1.1.1, 1.0.0.1, 9.9.9.9
Do I have to remove th third entry 9.9.9.9 (will it eff up the plan)?

There is no such entry as /IP system NTP client.
(System is a separate entry and what it has is an SNTP client which I use to provide time.).

Okay so maybe I am missing a NTP package? Do I need it or can I use the sntp module??

Okay So I loaded the NTP package. Do I keep the current sntp setup (designed for time only) assuming this NTP setup is for DoH??

vortex · Sat May 23, 2020 8:09 pm

How could it be the default if you don't know which service you can trust?

dave864 · Sun May 24, 2020 5:11 pm

This is great news.
Does anyone know the url to fetch the google cert?

foolbaby · Tue May 26, 2020 2:04 pm

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""

thanks, its work but sometimes it gives error :
15:28:41 dns,error DoH server connection error: remote disconnected while in HTTP exchange
15:29:37 dns,error DoH server connection error: SSL: std failure: timeout (13)
15:29:42 dns,error DoH server connection error: SSL: handshake timed out (6)
15:29:42 dns,error DoH server connection error: SSL: internal error (6)
15:29:42 dns,error DoH server connection error: Idle timeout - connecting
17:52:53 dns,error DoH server connection error: Idle timeout - waiting data

i hope DoH gets better in the next release

Tue May 26, 2020 2:47 pm

can you ping the DoH server?

foolbaby · Tue May 26, 2020 2:50 pm

can you ping the DoH server?

yes it can ping.
but its happen sometimes . its just new setup. still on monitoring.

TheDoctor · Tue May 26, 2020 7:28 pm

/ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes

expected end of command (line 1 column 12)

is there any solution, please, for 6.46.6 ?

eworm · Tue May 26, 2020 8:06 pm

This is not supposed in 6.46.6. You have to use 6.47 for that feature.

Jotne · Tue May 26, 2020 8:48 pm

And 6.47 is still in testing

foolbaby · Tue May 26, 2020 9:11 pm

can you ping the DoH server?

maybe this is the problem.
or maybe my router is to old

lol
the cpu gets down when i disable the nat for transparent dns.
and what is the meaning of this warning logs ?

may/27 01:04:34 dns,warning DoH max concurrent queries reached, ignoring query

TheDoctor · Tue May 26, 2020 9:52 pm

And 6.47 is still in testing

is it possible to talk about some release dates according to 6.47 or it is extremely premature ?

Jotne · Tue May 26, 2020 10:00 pm

6.47 RC was just released over here: viewtopic.php?f=21&t=161583

shunkica · Sun Jun 07, 2020 10:02 am

How can I use multiple DoH servers in case first one is unreachable?
Why does it not fall back to DNS servers if the DoH server is unreachable?

Jotne · Sun Jun 07, 2020 5:18 pm

We did have a discussion about that over here: viewtopic.php?p=798678#p798678

I have added a second DoH server. Did not find out how/where to get the certificate for it, so it will use Cloud Flare with certificate and google without.

:local result yes
:do {tool fetch url="https://1.1.1.1/dns-query\?name=mikrotik.ca%26type=A" output=file dst-path=result \
    http-header-field=accept:application/dns-json} on-error={:set result no}
:if $result do={
  /ip dns set servers="" use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
} else={
  /ip dns set allow-remote-requests=yes servers=8.8.8.8 use-doh-server=https://dns.google/dns-query verify-doh-cert=no
}

PS google needs to use DNS name in URL to work, so 8.8.8.8 is added. It will not be used for other clients,
Mikrotik should add a possibility for multiple DoH and/or fallback to old/normal DNS reques.t

sindy · Sun Jun 07, 2020 5:42 pm

PS google needs to use DNS name in URL to work, so 8.8.8.8 is added. It will not be used for other clients

I am afraid of frying my router's flash, so I don't run 6.47 yet; do static entries have precedence over DoH? If yes, I'd rather use

/ip dns static
add name=dns.google address=8.8.8.8
add name=dns.google address=8.8.4.4

than

/ip dns set servers=8.8.8.8,8.8.4.4

msatter · Sun Jun 07, 2020 6:47 pm

No, except for FWD.

Sob · Sun Jun 07, 2020 8:02 pm

I think you meant "Yes, except for FWD". Static entries are still preferred with DoH, except FWDs, those are currently ignored. There are also other differences but they don't affect @sindy's use case.

Jotne · Sun Jun 07, 2020 8:09 pm

do static entries have precedence over DoH? If yes, I'd rather use

I can confirm that it is. And agree that a static entry is a better solution.

msatter · Sun Jun 07, 2020 10:02 pm

I think you meant "Yes, except for FWD". Static entries are still preferred with DoH, except FWDs, those are currently ignored. There are also other differences but they don't affect @sindy's use case.

I had this posting in my memory: viewtopic.php?f=21&t=161583#p795962
And some where I picked up that FWD was an exception.

But then I won't touch DoH again, even with a long poke.

It is just a dream for the big firms collecting information come true, people just (want to) don't see that.

You can argue that are free to choose a more private aware DNS servers but 99% will use Google and Cloudflare in the end....sounds of popping champagne bottles in the background.

That is why I am not happy with Mikrotik implementing it after bring pressured to do that by many post here asking for it.

Use unbound or Knot resolver through a VPN tunnel. DoH gives you a false security.

This does not mean DoH has not a place. It has a place in countries that don't allow unchanged DNS usage and VPN. DNS is even sabotaged by returning the wrong root servers IP addresses as Sky UK did or still is doing. Breaking resolving by yourself.

Sadly there are to many people that not aware how we are watched all the time. It is a step back instead of being a step forward in privacy.

Jotne · Sun Jun 07, 2020 10:19 pm

You can argue that are free to choose a more private aware DNS servers but 99% will use Google and Cloudflare in the end....sounds of popping champagne bottles in the background.

I was in Turkey last year, and there Wikipedia was blocked used DNS block. DoH agent om my PC solved this fine. Also I do not like that my ISP or governmental can spy on my traffic.

Running DoH on MikroTik since first beta, and I have nothing negative to say about it. It resolves all my requests

msatter · Sun Jun 07, 2020 11:10 pm

You can argue that are free to choose a more private aware DNS servers but 99% will use Google and Cloudflare in the end....sounds of popping champagne bottles in the background.
I was in Turkey last year, and there Wikipedia was blocked used DNS block. DoH agent om my PC solved this fine. Also I do not like that my ISP or governmental can spy on my traffic.

Running DoH on MikroTik since first beta, and I have nothing negative to say about it. It resolves all my requests

And I referred in my posting the DoH has right to exist but not for daily/constant usage. If you live in Turkey or China or any other totalitarian county then you have my blessing.

It like saying McDonalds is healthy, because you order a salad with you burger and sugary drink.

Sob · Sun Jun 07, 2020 11:35 pm

It's a tool like any other. A hammer can be used to hit a nail or someone's head, it's everyone's choice, but you don't blame the hammer. Same with DoH, you can use different public servers or run your own. If you're affraid of Google and friends, you probably shouldn't use their servers.

Jotne · Sun Jun 07, 2020 11:37 pm

It like saying McDonalds is healthy, because you order a salad with you burger and sugary drink.

And if you connect to the "free" Wifi in McDonald, the they can spy on all your DNS requests to see what the clients surf on when thy are there. A VPN is a better solution, but just shows that any can spy on you.

anav · Sun Jun 07, 2020 11:57 pm

I am getting hungry!

PS, I will implement DoH in honour of homer simpson and if Jotne can convince me that there is no loss in performance and my internet traffic is better concealed from the scammers of commercialism and the dictatorships of secret police be they chinese, russian, american or north korean LOL.

Jotne · Mon Jun 08, 2020 12:05 am

Best is to remove internet complete, than your are a lot more secure.

anav · Mon Jun 08, 2020 12:29 am

Best is to remove internet complete, than your are a lot more secure.

Not true, just facebook, instagram, snapchat, twitter and tik tok.

msatter · Mon Jun 08, 2020 12:56 am

It's a tool like any other. A hammer can be used to hit a nail or someone's head, it's everyone's choice, but you don't blame the hammer. Same with DoH, you can use different public servers or run your own. If you're affraid of Google and friends, you probably shouldn't use their servers.

The nail has the choice which side to sink in, head or wood. Though one. With a hamer the direction to go, is clear.

VPN is also a trust you have in the provider you have chosen. Running your own resolver is easy these days and you have still only choose wich taste you want.

Encypting the connection for a tiny amount of traffic is time consuming, so reusing the already encrypted connection is speeding up things if resolve requests are many.

BlackFate · Mon Jun 08, 2020 1:24 am

Not sure why Mikrotik never implimeneted DoT and went for DoH. Routers are tools to implement and include to network designs. It makes absolutely no sense to pick DoH over DoT in routers. Leave DoH for the browsers

Mikrotik should be promoting good network practices, not the latest gimmic because some overexcited teenager requested it in a forum post.

anav · Mon Jun 08, 2020 2:24 am

Probably because it was easier?

msatter · Mon Jun 08, 2020 3:14 pm

I have to apologize for calling hamburges with McDonalds unhealty.

Eating one McDonalds hamburger yourself does not mean that all McDonalds hamburger are unhealthy also.

Just trying to be inculsive.

anav · Mon Jun 08, 2020 4:34 pm

Its called JUNK food for a reason.

You were right the first time.

anav · Mon Jun 08, 2020 4:34 pm

If one is predisposed to eating at McD as a primary food source, I will help you in assisted ..............., for a lot less $$ and a lot quicker (no suffering for those last 10-20 years).

shunkica · Wed Jun 10, 2020 2:35 am

I have added a second DoH server. Did not find out how/where to get the certificate for it, so it will use Cloud Flare with certificate and google without.

What do you mean? How did you add a second DoH server?
If you mean the script you posted that is not adding a second DoH server. It is just replacing the one DoH server

This contains GlobalSign Root CA - R2, among others, which is what dns.google uses: https://curl.haxx.se/ca/cacert.pem

sindy · Wed Jun 10, 2020 8:35 am

If you mean the script you posted that is not adding a second DoH server. It is just replacing the one DoH server

It depends on the point if view. As the script monitors the responsiveness of the primary server and replaces it in the configuration by the secondary one whenever it stops responding, and puts back the primary one once it starts responding again, it can be seen as "adding a second one". Yes, it modifies configuration (so writes to flash), yes, it has to be spawned quite often to be useful (so it wastes some CPU), but it serves the purpose.

And there is a minor mistake in it which I've noticed later, there should be a plain & at the place of the %26. Minor because the server does respond (so the monitoring goal is met) but provides no Answer section with the %26 in place.

What is worse is that the Cloudflare does respond whereas Google returns 400 Bad Request (even with the &).

Jotne · Wed Jun 10, 2020 10:06 am

What do you mean? How did you add a second DoH server?

Just as Sindy writes. Using a fail-over script to a second server.
What can also be done, is to setup three routes. One with two DNS points to the two other. Then the two other running each own DoH.
Will test the google cert

Jotne · Wed Jun 10, 2020 10:18 am

This contains GlobalSign Root CA - R2, among others, which is what dns.google uses: https://curl.haxx.se/ca/cacert.pem

This worked, but installed 137 Certificates

Do I need all? Can I see what is use?

TheSirStumfy · Wed Jun 10, 2020 10:59 am

You only need the root certificate of the service you want to use.

Jotne · Wed Jun 10, 2020 11:11 am

And from this list what is the root certificate needed for DoH to work?

 1       T cacert.pem_0         GlobalSign Root CA                                                                      ebd41040e4bb3ec742c9e38...
 2  L    T cacert.pem_1         GlobalSign                                                                              ca42dd41745fd0b81eb9023...
 3       T cacert.pem_2         VeriSign Class 3 Public...                                                              eb04cf5eb1f39afa762f2bb...
 4       T cacert.pem_3         Entrust.net Certificati...                                                              6dc47172e01cbcb0bf62580...
 5       T cacert.pem_4         Baltimore CyberTrust Root                                                               16af57a9f676b0ab126095a...
 6      ET cacert.pem_5         AddTrust External CA Root                                                               687fa451382278fff0c8b11...
 7       T cacert.pem_6         Entrust Root Certificat...                                                              73c176434f1bc6d5adf45b0...
 8       T cacert.pem_7         GeoTrust Global CA                                                                      ff856a2d251dcd88d36656f...
 9       T cacert.pem_8         GeoTrust Universal CA                                                                   a0459b9f63b22559f5fa5d4...
10       T cacert.pem_9         GeoTrust Universal CA 2                                                                 a0234f3bc8527ca5628eec8...
11  L    T cacert.pem_10        AAA Certificate Services                                                                d7a7a0fb5d7e2731d771e94...
12       T cacert.pem_11        QuoVadis Root Certifica...                                                              a45ede3bbbf09c8ae15c72e...
13       T cacert.pem_12        QuoVadis Root CA 2                                                                      85a0dd7dd720adb7ff05f83...
14       T cacert.pem_13        QuoVadis Root CA 3                                                                      18f1fc7f205df8adddeb7fe...
15       T cacert.pem_14                                                                                                e75e72ed9f560eec6eb4800...
16       T cacert.pem_15        Sonera Class2 CA                                                                        7908b40314c138100b518d0...
17  L    T cacert.pem_16        XRamp Global Certificat...                                                              cecddc905099d8dadfc5b1d...
18       T cacert.pem_17                                                                                                c3846bf24b9e93ca64274c0...
19       T cacert.pem_18                                                                                                1465fa205397b876faa6f0a...
20       T cacert.pem_19                                                                                                7600295eefe85b9e1fd624d...
21       T cacert.pem_20        DigiCert Assured ID Roo...                                                              3e9099b5015e8f486c00bce...
22       T cacert.pem_21        DigiCert High Assurance...                                                              7431e5f4c3c1ce4690774f0...
23       T cacert.pem_22        DST Root CA X3                                                                          0687260331a72403d909f10...
24       T cacert.pem_23        SwissSign Gold CA - G2                                                                  62dd0be9b9f50a163ea0f8e...
25       T cacert.pem_24        SwissSign Silver CA - G2                                                                be6c4da2bbb9ba59b6f3939...
26       T cacert.pem_25        GeoTrust Primary Certif...                                                              37d51006c512eaab626421f...
27       T cacert.pem_26        thawte Primary Root CA                                                                  8d722f81a9c113c0791df13...
28       T cacert.pem_27        VeriSign Class 3 Public...                                                              9acfab7e43c8d880d06b262...
29  L    T cacert.pem_28        SecureTrust CA                                                                          f1c1b50ae5a20dd8030ec9f...
30  L    T cacert.pem_29        Secure Global CA                                                                        4200f5043ac8590ebb527d2...
31  L    T cacert.pem_30        COMODO Certification Au...                                                              0c2cd63df7806fa399ede80...
32  L    T cacert.pem_31        Network Solutions Certi...                                                              15f0ba00a3ac7af3ac884c0...
33       T cacert.pem_32        COMODO ECC Certificatio...                                                              1793927a0614549789adce2...
34       T cacert.pem_33        OISTE WISeKey Global Ro...                                                              41c923866ab4cad6b7ad578...
35       T cacert.pem_34        Certigna                                                                                e3b6a2db2ed7ce48842f7ac...
36  L    T cacert.pem_35        Cybertrust Global Root                                                                  960adf0063e96356750c296...
37       T cacert.pem_36                                                                                                c0a6f4dc63a24bfdcf54ef2...
38       T cacert.pem_37                                                                                                eaa962c4fa4a6bafebe4151...
39       T cacert.pem_38        GeoTrust Primary Certif...                                                              b478b812250df878635c2aa...
40       T cacert.pem_39        thawte Primary Root CA ...                                                              a4310d50af18a6447190372...
41       T cacert.pem_40        thawte Primary Root CA ...                                                              4b03f45807ad70f21bfc2ca...
42       T cacert.pem_41        GeoTrust Primary Certif...                                                              5edb7ac43b82a06a8761e8d...
43       T cacert.pem_42        VeriSign Universal Root...                                                              2399561127a57125de8cefe...
44       T cacert.pem_43        VeriSign Class 3 Public...                                                              69ddd7ea90bb57c93e135dc...
45       T cacert.pem_44                                                                                                6c61dac3a2def031506be03...
46      ET cacert.pem_45        Staat der Nederlanden R...                                                              668c83947da63b724bece17...
47       T cacert.pem_46        Hongkong Post Root CA 1                                                                 f9e67d336c51002ac054c63...
48       T cacert.pem_47        SecureSign RootCA11                                                                     bf0feefb9e3a581ad5f9e9d...
49       T cacert.pem_48        Microsec e-Szigno Root ... email:info@e-szigno.hu                                       3c5f81fea5fab82c64bfa2e...
50       T cacert.pem_49        GlobalSign                                                                              cbb522d7b7f127ad6a01138...
51       T cacert.pem_50        Autoridad de Certificac...                                                              04048028bf1f2864d48f9ad...
52       T cacert.pem_51        Izenpe.com                 email:info@izenpe.com                                        2530cc8e98321502bad96f9...
53       T cacert.pem_52        Chambers of Commerce Ro...                                                              063e4afac491dfd332f3089...
54       T cacert.pem_53        Global Chambersign Root...                                                              136335439334a7698016a0d...
55       T cacert.pem_54        Go Daddy Root Certifica...                                                              45140b3247eb9cc8c5b4f0d...
56       T cacert.pem_55        Starfield Root Certific...                                                              2ce1cb0bf9d2f9e102993fb...
57       T cacert.pem_56        Starfield Services Root...                                                              568d6905a2c88708a4b3025...
58       T cacert.pem_57        AffirmTrust Commercial                                                                  0376ab1d54c5f9803ce4b2e...
59       T cacert.pem_58        AffirmTrust Networking                                                                  0a81ec5a929777f145904af...
60       T cacert.pem_59        AffirmTrust Premium                                                                     70a73f7f376b60074248904...
61       T cacert.pem_60        AffirmTrust Premium ECC                                                                 bd71fdf6da97e4cf62d1647...
62       T cacert.pem_61        Certum Trusted Network CA                                                               5c58468d55f58e497e74398...
63       T cacert.pem_62        TWCA Root Certification...                                                              bfd88fe1101c41ae3e801bf...
64       T cacert.pem_63                                                                                                513b2cecb810d4cde5dd853...
65       T cacert.pem_64        EC-ACC                     email:ec_acc@catcert.net                                     88497f01602f3154246ae28...
66       T cacert.pem_65        Hellenic Academic and R...                                                              bc104f15a48be709dca542a...
67       T cacert.pem_66        Actalis Authentication ...                                                              55926084ec963a64b96e2ab...
68       T cacert.pem_67                                                                                                c1b48299aba5208fe9630ac...
69       T cacert.pem_68        Buypass Class 2 Root CA                                                                 9a114025197c5bb95d94e63...
70       T cacert.pem_69        Buypass Class 3 Root CA                                                                 edf7ebbca27a2a384d387b7...
71       T cacert.pem_70        T-TeleSec GlobalRoot Cl...                                                              fd73dad31c644ff1b43bef0...
72       T cacert.pem_71        EE Certification Centre...                                                              3e84ba4342908516e77573c...
73  L    T cacert.pem_72        D-TRUST Root Class 3 CA...                                                              49e7a442acf0ea628705005...
74  L    T cacert.pem_73        D-TRUST Root Class 3 CA...                                                              eec5496b988ce98625b9340...
75       T cacert.pem_74        CA Disig Root R2                                                                        e23d4a036d7b70e9f595b14...
76  L    T cacert.pem_75        ACCVRAIZ1                  email:accv@accv.es                                           9a6ec012e1a7da9dbe34194...
77       T cacert.pem_76        TWCA Global Root CA                                                                     59769007f7685d0fcd50872...
78       T cacert.pem_77        TeliaSonera Root CA v1                                                                  dd6936fe21f8f077c123a1a...
79       T cacert.pem_78        E-Tugra Certification A...                                                              b0bfd52bb0d7d9bd92bf5d4...
80       T cacert.pem_79        T-TeleSec GlobalRoot Cl...                                                              91e2f5788d5810eba7ba587...
81       T cacert.pem_80        Atos TrustedRoot 2011                                                                   f356bea244b7a91eb35d53c...
82       T cacert.pem_81        QuoVadis Root CA 1 G3                                                                   8a866fd1b276b57e578e921...
83       T cacert.pem_82        QuoVadis Root CA 2 G3                                                                   8fe4fb0af93a4d0d67db0be...
84       T cacert.pem_83        QuoVadis Root CA 3 G3                                                                   88ef81de202eb018452e43f...
85       T cacert.pem_84        DigiCert Assured ID Roo...                                                              7d05ebb682339f8c9451ee0...
86       T cacert.pem_85        DigiCert Assured ID Roo...                                                              7e37cb8b4c47090cab36551...
87       T cacert.pem_86        DigiCert Global Root G2                                                                 cb3ccbb76031e5e0138f8dd...
88       T cacert.pem_87        DigiCert Global Root G3                                                                 31ad6648f8104138c738f39...
89       T cacert.pem_88        DigiCert Trusted Root G4                                                                552f7bdcf1a7af9e6ce6720...
90       T cacert.pem_89        COMODO RSA Certificatio...                                                              52f0e1c4e58ec629291b603...
91       T cacert.pem_90        USERTrust RSA Certifica...                                                              e793c9b02fd8aa13e21c312...
92       T cacert.pem_91        USERTrust ECC Certifica...                                                              4ff460d54b9c86dabfbcfc5...
93       T cacert.pem_92        GlobalSign                                                                              bec94911c2955676db6c0a5...
94       T cacert.pem_93        GlobalSign                                                                              179fbc148a3dd00fd24ea13...
95       T cacert.pem_94        Staat der Nederlanden R...                                                              3c4fb0b95ab8b30032f432b...
96       T cacert.pem_95        Staat der Nederlanden E...                                                              4d2491414cfe956746ec4ce...
97       T cacert.pem_96        IdenTrust Commercial Ro...                                                              5d56499be4d2e08bcfcad08...
98       T cacert.pem_97        IdenTrust Public Sector...                                                              30d0895a9a448a262091635...
99       T cacert.pem_98        Entrust Root Certificat...                                                              43df5774b03e7fef5fe40d9...
100       T cacert.pem_99        Entrust Root Certificat...                                                              02ed0eb28c14da45165c566.>
101       T cacert.pem_100       CFCA EV ROOT                                                                            5cc3d78e4e1d5e45547a04e.>
102       T cacert.pem_101       OISTE WISeKey Global Ro...                                                              6b9c08e86eb0f767cfad65c.>
103       T cacert.pem_102       SZAFIR ROOT CA2                                                                         a1339d33281a0b56e557d3d.>
104       T cacert.pem_103       Certum Trusted Network ...                                                              b676f2eddae8775cd36cb0f.>
105       T cacert.pem_104       Hellenic Academic and R...                                                              a040929a02ce53b4acf4f2f.>
106       T cacert.pem_105       Hellenic Academic and R...                                                              44b545aa8a25e65a73ca15d.>
107       T cacert.pem_106       ISRG Root X1                                                                            96bcec06264976f37460779.>
108       T cacert.pem_107                                                                                               ebc5570c29018c4d67b1aa1.>
109       T cacert.pem_108       Amazon Root CA 1                                                                        8ecde6884f3d87b1125ba31.>
110       T cacert.pem_109       Amazon Root CA 2                                                                        1ba5b2aa8c65401a8296011.>
111       T cacert.pem_110       Amazon Root CA 3                                                                        18ce6cfe7bf14e60b2e347b.>
112       T cacert.pem_111       Amazon Root CA 4                                                                        e35d28419ed02025cfa6903.>
113       T cacert.pem_112       LuxTrust Global Root 2                                                                  54455f7129c20b1447c418f.>
114       T cacert.pem_113       TUBITAK Kamu SM SSL Kok...                                                              46edc3689046d53a453fb31.>
115       T cacert.pem_114       GDCA TrustAUTH R5 ROOT                                                                  bfff8fd04433487d6a8aa60.>
116       T cacert.pem_115       TrustCor RootCert CA-1                                                                  d40e9c86cd8fe468c177695.>
117       T cacert.pem_116       TrustCor RootCert CA-2                                                                  0753e940378c1bd5e3836e3.>
118       T cacert.pem_117       TrustCor ECA-1                                                                          5a885db19c01d912c575938.>
119       T cacert.pem_118       SSL.com Root Certificat...                                                              85666a562ee0be5ce925c1d.>
120       T cacert.pem_119       SSL.com Root Certificat...                                                              3417bb06cc6007da1b961c9.>
121       T cacert.pem_120       SSL.com EV Root Certifi...                                                              2e7bf16cc22485a7bbe2aa8.>
122       T cacert.pem_121       SSL.com EV Root Certifi...                                                              22a2c1f7bded704cc1e701b.>
123       T cacert.pem_122       GlobalSign                                                                              2cabeafe37d06ca22aba739.>
124       T cacert.pem_123       OISTE WISeKey Global Ro...                                                              8560f91c3624daba9570b5f.>
125       T cacert.pem_124       GTS Root R1                                                                             2a575471e31340bc21581cb.>
126       T cacert.pem_125       GTS Root R2                                                                             c45d7bb08e6d67e62e42351.>
127       T cacert.pem_126       GTS Root R3                                                                             15d5b8774619ea7d54ce1ca.>
128       T cacert.pem_127       GTS Root R4                                                                             71cca5391f9e794b0480253.>
129       T cacert.pem_128       UCA Global G2 Root                                                                      9bea11c976fe014764c1be5.>
130       T cacert.pem_129       UCA Extended Validation...                                                              d43af9b35473755c9684fc0.>
131  L    T cacert.pem_130       Certigna Root CA                                                                        d48d3d23eedb50a459e5519.>
132       T cacert.pem_131       emSign Root CA - G1                                                                     40f6af0346a99aa1cd1d555.>
133       T cacert.pem_132       emSign ECC Root CA - G3                                                                 86a1ecba089c4a8d3bbe273.>
134       T cacert.pem_133       emSign Root CA - C1                                                                     125609aa301da0a249b97a8.>
135       T cacert.pem_134       emSign ECC Root CA - C3                                                                 bc4d809b15189d78db3e1d8.>
136       T cacert.pem_135       Hongkong Post Root CA 3                                                                 5a2fc03f0c83b090bbfa406.>
137       T cacert.pem_136       Entrust Root Certificat...                                                              db3517d1f6732a2d5ab97c5.>

sindy · Wed Jun 10, 2020 11:28 am

Open https://dns.google/dns-query in a browser. You'll get a 400 Bad Request, but that doesn't matter, there will be the padlock icon next to the url, click it and get to the certificate details to see the root CA certificate which signs the server one (the exact steps depend on browser).

The above is only true unless you have a spyware (antivirus) installed on your PC, which performs MITM attacks to all TLS traffic so that it could inspect the contents you download for malware.

Jotne · Wed Jun 10, 2020 11:45 am

Trail and error gave me the second certificate installed is the only needed one.

Name: cacert.pem_1
Issuer: OU=GlobalSign Root CA - R2,O=GlobalSign,CN=GlobalSign

frank333 · Wed Jun 10, 2020 12:55 pm

I'm using the script and it works well, I've imported global certificates and tested several DoH servers but you always get an error as a response.
I set the scheduling every minute and had the results written on an external sacrificial MMC card, not to fry the tik flash.

sindy · Wed Jun 10, 2020 1:03 pm

When mentioning frying the flash, I had in mind the basic 6.47 which some users reports to generate thousands of sector writes without an apparent reason, not writing the fetched file to a flash - on my SOHO devices, files are stored in RAM unless you explicitly place them to flash.

I don't understand what you mean by "works well" and "you always get an error" in the same sentence, can you elaborate?

Urajmal · Wed Jun 10, 2020 2:11 pm

For those who have DoH configured with CloudFlare, does first test ""Secure DNS" shows to you as a green?

https://www.cloudflare.com/ssl/encrypted-sni/

Thanks

frank333 · Wed Jun 10, 2020 2:15 pm

I thought the result file was written on mikrotik's hdd, so I moved it to the external MMC.

Schermata del 2020-06-10 12.54.41.png

The script always populates the mikrotik DNS cache even when the DOH cloudflare fails.
For the query response errors I thought about this .

Schermata del 2020-06-10 13.00.40.png

xvo · Wed Jun 10, 2020 2:52 pm

For those who have DoH configured with CloudFlare, does first test ""Secure DNS" shows to you as a green?

https://www.cloudflare.com/ssl/encrypted-sni/

Thanks

Yes.

Urajmal · Wed Jun 10, 2020 3:26 pm

For those who have DoH configured with CloudFlare, does first test ""Secure DNS" shows to you as a green?

https://www.cloudflare.com/ssl/encrypted-sni/

Thanks
Yes.

Have problem with that, I followed the nromis manuals, and I am unable to get First test green. Any recommendations? What should I have in DNS - Static, what should I have DHCP Server - Networks - DNS Servers?

xvo · Wed Jun 10, 2020 3:49 pm

What should I have in DNS - Static

Nothing if you use https://1.1.1.1/dns-query as DoH Server.

Or /ip dns static add address=1.1.1.1 name=cloudflare-dns.com
if you use https://cloudflare-dns.com/dns-query

what should I have DHCP Server - Networks - DNS Servers?

Your router's IP

Also make sure, that you don't have any dynamic servers.

frank333 · Wed Jun 10, 2020 4:02 pm

on linux to control the dns i do this, reboot the connection and control with nmcli device show myinterface | grep IP4

Urajmal · Thu Jun 11, 2020 12:15 am

What should I have in DNS - Static
Nothing if you use https://1.1.1.1/dns-query as DoH Server.

Or /ip dns static add address=1.1.1.1 name=cloudflare-dns.com
if you use https://cloudflare-dns.com/dns-query

what should I have DHCP Server - Networks - DNS Servers?
Your router's IP

Also make sure, that you don't have any dynamic servers.

Thanks! Have been tried all sorts of combinations. I am unable to get "Secure DNS" to green.
Will be following this thread to see if there are any with the same situation.

And will be try to configure on brand new RB4011.

Pea · Thu Jun 11, 2020 12:34 am

Is your client really using your router as DNS?

hendra · Thu Jun 11, 2020 3:22 am

can you ping the DoH server?
maybe this is the problem.
or maybe my router is to old lol
the cpu gets down when i disable the nat for transparent dns.
and what is the meaning of this warning logs ?
Code: Select all
may/27 01:04:34 dns,warning DoH max concurrent queries reached, ignoring query 

dns,error DoH server connection error: remote disconnected while in HTTP exchange

any solution ?

Jotne · Thu Jun 11, 2020 8:13 am

For those who have DoH configured with CloudFlare, does first test ""Secure DNS" shows to you as a green?

https://www.cloudflare.com/ssl/encrypted-sni/

Thanks

Yes.

You need the certificate, check by type: /certificate print detail

Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted 
 0       T name="DigiCertGlobalRootCA.crt.pem_0" issuer=C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert Global Root CA digest-algorithm=sha1 
           key-type=rsa country="US" organization="DigiCert Inc" unit="www.digicert.com" common-name="DigiCert Global Root CA" key-size=2048 
           subject-alt-name="" days-valid=9131 trusted=yes key-usage=digital-signature,key-cert-sign,crl-sign 
           serial-number="083BE056904246B1A1756AC95991C74A" fingerprint="4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161" 
           akid=03de503556d14cbb66f0a3e21b1bc397b23dd155 skid=03de503556d14cbb66f0a3e21b1bc397b23dd155 invalid-before=nov/10/2006 02:00:00 
           invalid-after=nov/10/2031 02:00:00 expires-after=595w3d18h49m37s

Then set the DNS on your router to:

/ip dns set servers="" use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes

DCHP should point DNS to your router. So on your PC ipconfig /all

DNS Servers . . . . . . . . . . . : 192.168.88.1

mozerd · Thu Jun 11, 2020 8:54 pm

None of my Apple gear works when DoH is enabled .... All apple gear is wireless ..... all windows gear works with DoH.
I have not determined why the Apple Gear is not working with DoH .... will do that on another day ...

Jotne · Thu Jun 11, 2020 10:51 pm

Maybe that apple use a fixed IP like Chrome cast use 8.8.8.8 and not the DNS it gets from the DHCP.
This can be fixed by redirect all request to port 53 to your DNS server. Then Chrome Cast and other stupid devices that does not follow normal regulation will still work.

frank333 · Fri Jun 12, 2020 12:28 am

so ?

/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=53 protocol=tcp dst-port=53
add chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=53 protocol=udp dst-port=53

put in front of all the rules ?
192.168.88.1 is ip of router mikrotik

hendra · Fri Jun 12, 2020 10:56 pm

sometimes after a few hours i got this log " DoH server conncetion error iddle timeout" any clue for this ?

msatter · Fri Jun 12, 2020 11:17 pm

I don't know but have a look at the first posting in this thread.

Lebzul · Sat Jun 13, 2020 4:18 pm

Is it normal to have lots of RAM consumption by using this?

hendra · Sun Jun 14, 2020 4:20 am

any clue for this "DoH Server connection error : ssl handshake timeout" ?

slimprize · Sun Jun 14, 2020 8:40 am

Hi all,
Does anyone know the URL to download the certificate for opendns? I am getting dns resolution errors.
I tried
https://support.opendns.com/hc/en-us/ar ... evelopers-
No go though the certificate was imported successfully.

frank333 · Sun Jun 14, 2020 9:40 am

slimprize.
that's what I do . in the PEM download section.

Schermata del 2020-06-14 08.31.14.png

msatter · Sun Jun 14, 2020 11:53 am

You click.

mozerd · Sun Jun 14, 2020 2:12 pm

Not sure why Mikrotik never implimeneted DoT and went for DoH. Routers are tools to implement and include to network designs. It makes absolutely no sense to pick DoH over DoT in routers. Leave DoH for the browsers

@BlackFate
Leave DoH for the browsers is 100% on the mark !

mozerd · Sun Jun 14, 2020 2:19 pm

Maybe that apple use a fixed IP like Chrome cast use 8.8.8.8 and not the DNS it gets from the DHCP.
This can be fixed by redirect all request to port 53 to your DNS server. Then Chrome Cast and other stupid devices that does not follow normal regulation will still work.

@Jotne
All my Apple devices use DHCP and get their DNS from 'either' based on appropriateness. Safari just hangs. Chrome is fine.
I'll just forget DoH on the Router and use DoH enabled on the Chromium Browser -- works great.

slimprize · Sun Jun 14, 2020 5:20 pm

slimprize.
that's what I do . in the PEM download section.
Schermata del 2020-06-14 08.31.14.png

PL] frank333, your screen shot is not clear. Could you please describe the procedure from the commandline interface? Do all certificates need to be in pem format? I seemed to have imported the one correctly from opendns.

[pranav1@ConShield] /certificate> print
Flags: K - private-key, L - crl, C - smart-card-key, A - authority,
I - issued, R - revoked, E - expired, T - trusted
# NAME COM.. SUBJECT-ALT-NAME FIN..
0 T Cis.. Cis.. 203..

Pranav

Mon Jun 15, 2020 8:21 am

Not sure why Mikrotik never implimeneted DoT and went for DoH. Routers are tools to implement and include to network designs. It makes absolutely no sense to pick DoH over DoT in routers. Leave DoH for the browsers
@BlackFate
Leave DoH for the browsers is 100% on the mark !

Not all internet traffic is from the browser. Not all devices have browsers.

msatter · Mon Jun 15, 2020 10:25 am

Not sure why Mikrotik never implimeneted DoT and went for DoH. Routers are tools to implement and include to network designs. It makes absolutely no sense to pick DoH over DoT in routers. Leave DoH for the browsers
@BlackFate
Leave DoH for the browsers is 100% on the mark !
Not all internet traffic is from the browser. Not all devices have browsers.

Then why is TCP port 443 used and not a specific port for this kind of traffic? DoT is using TCP/853 and can be blocked without having to bring long lists of addresses to block.

DoH is a aggressive way of resolving and not at home in network that is administered in a normal way. And should be used in situation where a normal network administration is not present.

Mon Jun 15, 2020 10:54 am

Exactly!
DoH can be used in countries where governments enforce filtering of news and such. This is why it's popular, I guess.

frank333 · Mon Jun 15, 2020 11:08 am

In my opinion, doh is the first example of how much mikrotik cares about the safety of its users and other initiatives in this direction are welcome.
The only thing I can reproach are the problems I had using the firmware 6.47 and the lack of possibility to use other dns besides cloudflare.

Mon Jun 15, 2020 11:10 am

You can use any DoH service, not just Cloudflare. You can use Google or others. There is a list of public DoH servers you can use:
https://dnsprivacy.org/wiki/display/DP/ ... +Resolvers

frank333 · Mon Jun 15, 2020 11:18 am

yes normis, I wanted to say this that I tried, but in addition to having problems with continuous writing on the nand with v6.47 I still can not enable the verification of certificates in addition to that of cloudflare, also can not yet enter a second doh server that acts as failover.

msatter · Mon Jun 15, 2020 11:47 am

Exactly!
DoH can be used in countries where governments enforce filtering of news and such. This is why it's popular, I guess.

Is Latvia such a country?

The popularity is due to indoctrination by the big firms wanting to follow you where ever you go. You always sent your IP address with your request.

The opposite of what want you to archieve is happening here. See it as the Facebook pixel or hidden script on all the sites for a long time. You told Facebook which sites you visited.

It belongs in browsers and not in routers or other network devices.

Mon Jun 15, 2020 11:58 am

Latvia is not such a country, but these requests come from such countries.
Don't mix other topics into this. One doesn't have to be a FB user to want DoH. People still want to read News, but some places deny this access. Such user can set up DoH in his home router and not worry about somebody intercepting DNS requests for browsing or any other internet traffic.

msatter · Mon Jun 15, 2020 1:56 pm

I did not mixed things, I compared to it.

"See it as the Facebook pixel...."

Mon Jun 15, 2020 1:57 pm

There is no relation. You can set your router to forward all traffic to your OWN DNS over HTTPs server in another country.

msatter · Mon Jun 15, 2020 3:23 pm

Yes you can, but how many will do that!?

Mon Jun 15, 2020 3:25 pm

Look at the crazy amount of questions on this forum. DoH is really popular. A lot of regimes nowadays filter content. People started to use 8.8.8.8 as DNS, but that got blocked. So now people ask for DoH. This is what it's for basically.

I will not get political. We just make what users ask for (sometimes).

archerious · Mon Jun 15, 2020 4:40 pm

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""

Does this work for ipv6?

eworm · Mon Jun 15, 2020 4:44 pm

Does this work for ipv6?

You could try this address:

https://[2606:4700:4700::1111]/dns-query

But others reported it does not. Have not tried it myself.

msatter · Mon Jun 15, 2020 6:21 pm

Look at the crazy amount of questions on this forum. DoH is really popular. A lot of regimes nowadays filter content. People started to use 8.8.8.8 as DNS, but that got blocked. So now people ask for DoH. This is what it's for basically.

I will not get political. We just make what users ask for (sometimes).

And so it came full circle.

archerious · Tue Jun 16, 2020 7:46 am

sometimes after a few hours i got this log " DoH server conncetion error iddle timeout" any clue for this ?

Same issue, I usually just ignore it as DNS seems to work fine.

shunkica · Wed Jun 17, 2020 9:56 am

DoH is not only for countries with content filtering...
All governments do surveillance on their citizens, and your ISP could be selling your data as well.
And when it comes to it, I would rather Cloudflare have my data than my shitty government/ISP.

Jotne · Wed Jun 17, 2020 10:05 am

And when it comes to it, I would rather Cloudflare have my data than my shitty government/ISP.

Maybe that the people here that do no like DoH DoT are ISP them self

inteq · Wed Jun 17, 2020 10:14 am

In my opinion, doh is the first example of how much mikrotik cares about the safety of its users and other initiatives in this direction are welcome.

Don't be fooled into thinking DoH provides any "safety" for users.
I mean don't do stupid stuff online just because you have DoH enabled then act surprised when caught.

Wed Jun 17, 2020 10:23 am

DoH just moves your concerns from the ISP/Government to the DoH service provider. It all just depends on who you trust more.

msatter · Wed Jun 17, 2020 10:51 am

And when it comes to it, I would rather Cloudflare have my data than my shitty government/ISP.
Maybe that the people here that do no like DoH DoT are ISP them self

Why should DoT be wrong? As an ISP or as concerned parents of a family you can enforce not using DoT.

Wed Jun 17, 2020 11:01 am

I just hope you can try and see the other side of the coin. It was discussed enough times above. There are many reasons not to trust the ISP.

Jotne · Wed Jun 17, 2020 11:02 am

DoH just moves your concerns from the ISP/Government to the DoH service provider. It all just depends on who you trust more.

Its a huge difference. I can choose between someone I know and some I do not know. How many can see my DNS request, I do not now, but with DoH I have some clue.

Wed Jun 17, 2020 11:06 am

Like I already said, you can set up your own DOH server in a trusted country with a trusted ISP and then configure DOH client in the country where you don't feel safe.

msatter · Wed Jun 17, 2020 12:06 pm

I just hope you can try and see the other side of the coin. It was discussed enough times above. There are many reasons not to trust the ISP.

There are also many reasons to not trust anyone with your private data.

That is why I do it myself and ask the authorative directly. The Dutch government does not like it when you do that through a VPN provider. I have to use the DoT server of my ISP for those specific domains.

slimprize · Wed Jun 17, 2020 4:13 pm

Hi all,

Has anyone gotten opendns's doh server to work?

As I said above I tried but was getting resolution errors despite importing the certificate.

Sob · Wed Jun 17, 2020 5:10 pm

Sure. Quick and simple (and unsecure *) way:

/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
/certificate import file-name=DigiCertGlobalRootCA.crt.pem
/ip dns set use-doh-server=https://doh.opendns.com/dns-query verify-doh-cert=yes

(*) The problem is that fetch does not verify certificate, and even though there is an option for it, it won't work when there's no root certificate on router. Chicken and egg problem. So better download the file using browser and upload it to router.

slimprize · Thu Jun 18, 2020 4:40 am

@Sob,
Many many thanks. I have DNS over https working. Website lookups are slow so I am not sure if I will keep this configuration. I want to though so lets see.

Pranav

frank333 · Thu Jun 18, 2020 11:13 am

slimprice,
cloudflare has the fastest dns, then there is google, and all the other .Open dns here at my place is very slow.

kd2pm2 · Fri Jun 19, 2020 5:35 pm

Anyone else getting this? Seems that if its time to get an updated cert file...it cant. Its a chicken/egg scenario where it cant get the info to do the fetch to update the cert. Easy fix is to just add in another dns entry like 1.1.1.1 and immediately DNS query works, it grabs does the fetch and then all is good. I can take out the 1.1.1.1 until once again it gets caught in the loop trying to query but it cant...

dns error.jpg

hendra · Fri Jun 19, 2020 5:38 pm

Anyone else getting this? Seems that if its time to get an updated cert file...it cant. Its a chicken/egg scenario where it cant get the info to do the fetch to update the cert. Easy fix is to just add in another dns entry like 1.1.1.1 and immediately DNS query works, it grabs does the fetch and then all is good. I can take out the 1.1.1.1 until once again it gets caught in the loop trying to query but it cant...

dns error.jpg

how to solve this ?

frank333 · Fri Jun 19, 2020 6:06 pm

try to follow this holy man's guidance,
https://jcutrer.com/howto/networking/mi ... over-https

msatter · Fri Jun 19, 2020 8:08 pm

In the Holy book you see, Normis, only Google and Cloudflace is being mentioned.

As I predicted.

kd2pm2 · Fri Jun 19, 2020 8:11 pm

try to follow this holy man's guidance,
https://jcutrer.com/howto/networking/mi ... over-https

Seems pretty close to what I have already done. I may have to go back to plan "B" and make the URL 1.1.1.1 instead of cloudflare-dns.com

kd2pm2 · Fri Jun 19, 2020 10:12 pm

So here is my current DNS config. When I reboot the RB2011 it goes into infinity with handshake failures. Its trying to validate the CRL's but yet, it should already have it in certificates memory as being valid. I suspect that the certificates setting needs to be changed to perhaps not download the CRL or even use the CRL? Also not sure if the CRL store should be RAM or System. In order to fix the problem I did have to add DNS server 1.1.1.1 to my settings .

From what I can tell, a reboot invalidates the CRL's and the router needs to go back out and validate all of them. If you do a /system certificates and you check the CRL tab, all of those CRL's are red. So you are stuck until validation takes place and they go black on the screen and then the DNS server will start caching entries.

So I am kinda lost here as to how it really should be set up so that a reboot does not force me to log in manually to add a DNS entry of 1.1.1.1 just to download/validate what I have in my router all the time.

 /ip dns print
                      servers: 
              dynamic-servers: 
               use-doh-server: https://1.1.1.2/dns-query
              verify-doh-cert: yes
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 500
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 3d
                   cache-used: 30KiB

dns_error_2.jpg

Above shows the errors immediately after the RB2011 reboot

dns_error_3.jpg

Above shows the updates to the files once I add DNS 1.1.1.1 as a server.

Pea · Fri Jun 19, 2020 10:35 pm

remove all those certificates and use just this one:

/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=””

kd2pm2 · Fri Jun 19, 2020 10:49 pm

remove all those certificates and use just this one:
Code: Select all
/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=””

I did and there is no CRL and I am still logging the same DNS error

DoH server connection error: SSL: handshake failed: unable to get certificate CRL (6)

kd2pm2 · Fri Jun 19, 2020 10:51 pm

I believe I have to go back and get the PEM file for Cloudflare-DNS and load that back in as well...I believe one cant work without the other

kd2pm2 · Fri Jun 19, 2020 11:10 pm

I believe I have to go back and get the PEM file for Cloudflare-DNS and load that back in as well...I believe one cant work without the other

So its definitely an issue on a reboot that if you dont have a standard DNS server like 1.1.1.1 assigned as well as the DOH server....the DOH cannot and will not allow itself to validate the CRL's and thus it has to use the 1.1.1.1 to get those downloaded and then the DOH appears to be happy.

It also appears to me that you do need the cloudflare-dns.com and DigiCert Global Root CA certs for things to behave...if not, it continues to log DOH server errors.

floaty · Sat Jun 20, 2020 12:45 am

.

I think it's not possible to use google DoH without DNS name in url. Or do you have a working one with ip address?

.
same experience here:
using the avail v4 adresses gives warnings (maybe a google by-the-side-sausage ??)
... seems there's loadbalancing inbetween, which is fetching "dns.google" [or any of the alternate names ... because the pure ip servers do NOT]
.
question: what would be issue with local static translation ?
.
## update ##... dns64.dns.google is not working ... guess thats for v6
.

[admin@tikki] > ping www.cisco.com
invalid value for argument address:
    invalid value of mac-address, mac address required
    invalid value for argument ipv6-address
    while resolving ip-address: could not get answer from dns server
                                                                      (1 messages discarded)
23:29:09 echo: dns,warning <html lang=en>
23:29:09 echo: dns,warning   <meta charset=utf-8>
23:29:09 echo: dns,warning   <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
23:29:09 echo: dns,warning   <title>Error 404 (Not Found)!!1</title>
23:29:09 echo: dns,warning   <style>
23:29:09 echo: dns,warning     *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:
180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-
decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/g
ooglelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/go
oglelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:u
23:29:09 echo: dns,warning rl(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:ur
l(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
23:29:09 echo: dns,warning   </style>
23:29:09 echo: dns,warning   <a href=//www.google.com/><span id=logo aria-label=Google></span></a>
23:29:09 echo: dns,warning   <p><b>404.</b> <ins>That\E2\80\99s an error.</ins>
23:29:09 echo: dns,warning   <p>The requested URL <code>/dns-query</code> was not found on this server.  <ins>That\E2\80\99s all we know.</ins>
23:29:09 echo: dns,warning
[admin@tikki] >

.

ggl.PNG

msatter · Sat Jun 20, 2020 3:13 am

dns64.dns.google can't be resolved to a IP address:

;; AUTHORITY SECTION:
dns.google.             48      IN      SOA     ns1.zdns.google. dns-admin.google.com. 2684358593 21600 3600 1209600 300

floaty · Sat Jun 20, 2020 12:35 pm

.
not v4 ... right
.

foo@pike:~# dig -x 2001:4860:4860::64

; <<>> DiG 9.10.3-P4-Debian <<>> -x 2001:4860:4860::64
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35978
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;4.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.8.4.0.6.8.4.1.0.0.2.ip6.arpa. IN PTR

;; ANSWER SECTION:
4.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.8.4.0.6.8.4.1.0.0.2.ip6.arpa. 21598 IN PTR dns64.dns.google.

;; Query time: 43 msec
;; SERVER: 192.168.100.10#53(192.168.100.10)
;; WHEN: Sat Jun 20 11:32:24 CEST 2020
;; MSG SIZE  rcvd: 131

foo@pike:~#

Flextro · Sun Jun 21, 2020 12:27 pm

I'm using DoH with 1.1.1.1 server and RB3011 with ROS 6.47 about a week.
Since this morning i have problem with 1.1.1.1:
I got only "12:15:40 dns,error DoH server connection error: SSL: internal error (6)" message. I try'd 9.9.9.9 and it's works fine (still)
Don't know: this is issue with my ISP, CF or Mikrotik

capy2008 · Sun Jun 21, 2020 8:16 pm

I get this error. Anybody have any idea how I fix it?

/tool fetch url="https://curl.haxx.se/ca/cacert.pem"
failure: unable to resolve hostname

I fix it but i unable to make doh work. I still see isp dns in torch.

MEJAKUmputer · Wed Jul 15, 2020 2:33 pm

My DoH setting

/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
/certificate import file-name=cacert.pem passphrase=””
/ip dns set servers=""
/ip dns set use-doh-server=https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes

/ip firewall filter
add action=accept chain=input src-port=443 protocol=tcp src-address-list=Cloudflare-DNS
add action=accept chain=input dst-port=53 in-interface=!ether1-wan protocol=udp
add action=drop chain=input

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=53 in-interface=ether2-lan protocol=tcp to-addresses=192.168.68.1 to-ports=53

I added 2 static DNS entries for family.cloudflare-dns.com to address: 104.18.209.237 and 104.18.210.237.
Also added 104.18.209.237 and 104.18.210.237 to address list named Cloudflare-DNS
And 192.168.68.1 is gateway for Ether 2

Everything works well, but did i miss something in my settings? I need your opinion.

DarkNate · Thu Jul 16, 2020 4:26 pm

What ports does RouterOS use for DoH?

Stricly TCP 443 only?

Seems in some cases port 53, 853 is used: https://en.wikipedia.org/wiki/DNS_over_ ... _scenarios

proximus · Fri Jul 17, 2020 12:26 am

I added 2 static DNS entries for family.cloudflare-dns.com to address: 104.18.209.237 and 104.18.210.237.

You would probably be better off using the Anycast addresses 1.1.1.3 and 1.0.0.3. That way, if CF ever changes those specific servers, you won't be out of service.

I use the 1.1.1.2 / 1.0.0.2 security.cloudflare-dns.com static DNS entries and it is fine.

MEJAKUmputer · Tue Jul 21, 2020 1:59 pm

I added 2 static DNS entries for family.cloudflare-dns.com to address: 104.18.209.237 and 104.18.210.237.
You would probably be better off using the Anycast addresses 1.1.1.3 and 1.0.0.3. That way, if CF ever changes those specific servers, you won't be out of service.

I use the 1.1.1.2 / 1.0.0.2 security.cloudflare-dns.com static DNS entries and it is fine.

What if i just add 1.1.1.3 and 1.0.0.3 as family.cloudflare-dns.com static DNS entries, so i have four static DNS entries for family.cloudflare-dns.com (104.18.209.237, 104.18.210.237, 1.1.1.3, 1.0.0.3)? It's fine?

Guscht · Tue Jul 21, 2020 11:57 pm

What ports does RouterOS use for DoH?

Stricly TCP 443 only?

Seems in some cases port 53, 853 is used: https://en.wikipedia.org/wiki/DNS_over_ ... _scenarios

I think you missunderstand the concept. In your LAN, the clients query your edge router as DNS-resolver unencrypted via port 53.
The outgoing DNS query from your router to the public DoH-DNS server is encrypted and sent via port 443.
The public DoH-DNS resolves the query itself unencrypted via port 53 (or via TLS over port 853).

This means DoH is no real end-to-end encryption. But it is a security benefit over all.
So yes, the DoH part uses strictly port 443.

arrazib · Thu Jul 30, 2020 9:23 pm

Dear Concern,
I have successfully configured the system. It is showing me Verify that DoH is enabled and working. When I am torching WAN interface it is not showing me 1.1.1.1:443(http) rather showing me 1.1.1.1:53(dns). I dont know why it is happening. Is it any config error? Please let me know what to do if I want to solve the issue.

arrazib · Fri Jul 31, 2020 12:02 pm

I have successfully configured the system. It is showing me Verify that DoH is enabled and working. When I am torching WAN interface it is not showing me 1.1.1.1:443(http) rather showing me 1.1.1.1:53(dns). I dont know why it is happening. Is it any config error? Please let me know what to do if I want to solve the issue.

vishvas · Tue Aug 11, 2020 7:54 pm

Dear All
has anybody tested IPV6 DNS over HTTPS?

DarkNate · Sun Aug 16, 2020 3:04 pm

@normis

ROS keeps trying to use WAN1 for DoH even though WAN1 is down/disabled and WAN2 is active and reachable. Normal DNS works fine, only DoH keeps trying WAN1 even if the interface itself is manually disabled.

Steps to reproduce the bug
1. ISP 1 with Route distance 1
2. ISP 2 with Route distance 2
3. Disable ISP 1 or turn off the uplink device to simulate an unreachable state
4. Check the log and you'll see DoH refuses to use ISP 2 no matter what

DarkNate · Sun Aug 16, 2020 3:05 pm

Dear All
has anybody tested IPV6 DNS over HTTPS?

It seems to be working already as per the connection tracking in the firewall on IPv6, I can see DoH traffic to Cloudflare initiated by the client devices using advertised DNS from RouterOS.

fsgrbv · Sun Aug 16, 2020 9:56 pm

Dear All
has anybody tested IPV6 DNS over HTTPS?

Yes. I've tested with:

/ip dns set use-doh-server=https://dns64.cloudflare-dns.com/dns-query verify-doh-cert=yes

Unfortunately, It does not work.

Even though ipv6 works OK.

[admin@MikroTik] > put [resolve dns64.cloudflare-dns.com]
2606:4700:4700::64
[admin@MikroTik] > ping 2606:4700:4700::64      
  SEQ HOST                                     SIZE TTL TIME  STATUS                                         
    0 2606:4700:4700::64                         56  61 24ms  echo reply                                     
    1 2606:4700:4700::64                         56  61 24ms  echo reply                                     
    2 2606:4700:4700::64                         56  61 23ms  echo reply                                     
    sent=3 received=3 packet-loss=0% min-rtt=23ms avg-rtt=23ms max-rtt=24ms

IPv4 DoH (

/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes

) works OK too.

DarkNate · Mon Aug 17, 2020 10:56 pm

Dear All
has anybody tested IPV6 DNS over HTTPS?

Yes. I've tested with:

/ip dns set use-doh-server=https://dns64.cloudflare-dns.com/dns-query verify-doh-cert=yes

Unfortunately, It does not work.

Even though ipv6 works OK.

[admin@MikroTik] > put [resolve dns64.cloudflare-dns.com]
2606:4700:4700::64
[admin@MikroTik] > ping 2606:4700:4700::64      
  SEQ HOST                                     SIZE TTL TIME  STATUS                                         
    0 2606:4700:4700::64                         56  61 24ms  echo reply                                     
    1 2606:4700:4700::64                         56  61 24ms  echo reply                                     
    2 2606:4700:4700::64                         56  61 23ms  echo reply                                     
    sent=3 received=3 packet-loss=0% min-rtt=23ms avg-rtt=23ms max-rtt=24ms

IPv4 DoH (

/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes

) works OK too.

dns64.cloudflare-dns.com is for NAT64 networks. In most cases ISPs give native IPv6 with CGNATted IPv4 or public IPv4.

https://cloudflare-dns.com/dns-query would be the correct one to use, it works for both IPv4 and native IPv6.

Tubeorange667 · Tue Aug 18, 2020 10:13 am

I got everything working with nextdns. Here is what i did.
make sure you change <id> for your config id): for Example if your id is "99b212" you can give .... /ip dns set use-doh-server=https://dns.nextdns.io/99b212 verify-doh-cert=yes
if you want to display the device name just add it in the last after putting "/" like this ... /ip dns set use-doh-server=https://dns.nextdns.io/99b212/mikrotik


tool fetch url=https://curl.haxx.se/ca/cacert.pem
/certificate import file-name=cacert.pem passphrase=""
/ip dns set servers=
/ip dns static add name=dns.nextdns.io address=45.90.28.0 type=A
/ip dns static add name=dns.nextdns.io address=45.90.30.0 type=A
/ip dns static add name=dns.nextdns.io address=2a07:a8c0:: type=AAAA
/ip dns static add name=dns.nextdns.io address=2a07:a8c1:: type=AAAA
/ip dns set use-doh-server=“https://dns.nextdns.io/<id>” verify-doh-cert=yes

Untitled-1.jpg

Pea · Tue Aug 18, 2020 10:38 am

Why do you import all 138 CA certificates? Isn't it better do import only the one needed?

Tubeorange667 · Tue Aug 18, 2020 11:00 am

Why do you import all 138 CA certificates? Isn't it better do import only the one needed?

I did not find anything specific in the certificate list which points to "nextdns". so i imported all. How can i find the one which is used by nextdns?

Pea · Tue Aug 18, 2020 11:04 am

Just try with this one:

Tubeorange667 · Tue Aug 18, 2020 12:07 pm

I am not finding anything like that in the certificates list. I tried to remove everything except the name 'digicert". But thats not working. it does not starts with this name. its something else.

nrgch · Mon Sep 21, 2020 9:53 pm

Is it possible, that i'm getting "DoH server connection error: Idle timeout - waiting data" because i'm using two different ISPs at the same time on one PC with two ethernet adapters and two different routers and they don't know anything about each other?
2nd router is not Mikrotik and it's not logging any problems about DoH.
Other than that log message i'm not having any problems with internet connectivity, whether it is any router separately or both at the same time. Both are configured properly for using DoH.
I'm just curious about that log message, nothing more. Everything's working just fine.
Thanks.

IYARINDRA · Mon Oct 12, 2020 11:20 am

Any guide for Google DoH settings ?

### Google DoH
/ip dns set servers=8.8.8.8,8.8.4.4
/system ntp client set enabled=yes primary-ntp=time.google.com
/tool fetch url=https://pki.goog/roots.pem
/certificate import file-name=roots.pem passphrase=""
/ip dns set use-doh-server=https://dns.google/dns-query verify-doh-cert=yes
/ip dns set allow-remote-requests=yes cache-max-ttl=1d use-doh-server=https://dns.google/dns-query verify-doh-cert=yes
/ip dns static
add address=8.8.8.8 name=dns.google
add address=8.8.4.4 name=dns.google
/ip dns set servers=""

### Script for certfificates update
/system script add dont-require-permissions=no name=Certificate_Google policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/tool fetch url=https://pki.goog/roots.pem\r\n/certificate import file-name=roots.pem passphrase=\"\""

### Script for DNS cache flush
/system script add dont-require-permissions=no name=DNS_Flush_Cache policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/ip dns cache flush"

### Schedule to update google certificate once a week 
/system scheduler add comment="Google Certificate Update" interval=1w name=Certificate_Google_Update on-event=Certificate_Google policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/06/2019 start-time=05:20:00

### Schedule to flush dns cache everyday
/system scheduler add comment="DoH Cache Flush" interval=1d name="DNS Cache Flush" on-event=DNS_Flush_Cache policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/06/2019 start-time=05:30:00

DarkNate · Mon Oct 12, 2020 4:32 pm

I ditched ROS DoH completely and replaced it with Cloudflared binary + Pi-Hole now DoH works 100% of the time with zero errors. Zero problems whatsoever.

DoH on ROS was and still is broken.

hendra · Sun Oct 18, 2020 10:36 am

I ditched ROS DoH completely and replaced it with Cloudflared binary + Pi-Hole now DoH works 100% of the time with zero errors. Zero problems whatsoever.

DoH on ROS was and still is broken.

can u tell me the step to do this?

DarkNate · Sun Oct 18, 2020 12:45 pm

I ditched ROS DoH completely and replaced it with Cloudflared binary + Pi-Hole now DoH works 100% of the time with zero errors. Zero problems whatsoever.

DoH on ROS was and still is broken.
can u tell me the step to do this?

https://docs.pi-hole.net/main/prerequisites/

https://docs.pi-hole.net/guides/dns-over-https/

anav · Sun Oct 18, 2020 5:34 pm

Hi Darknate,
I am interested in how you added the pi-hole to the MT Router for this functionality.
Is it on its own subnet for example.
How do you point users to pi-hole.
How do you point pi-hole to the external servers you wish to use
What firewall rules are germane to the setup for the pihole and users
What DNS rules are germane to the setup for the pihole and users.

In other words, configuring the pi-hole may be the easy part.
I tried using pi-hole once, and the family got upset real fast when it worked in broken fashion or not at all and I couldnt afford to play at it anylonger.
So looking for the config snippets for all pi-hole related entries, and a schematic to show the concept of how it fits into the network

DarkNate · Sun Oct 18, 2020 10:05 pm

Hi Darknate,
I am interested in how you added the pi-hole to the MT Router for this functionality.
Is it on its own subnet for example.
How do you point users to pi-hole.
How do you point pi-hole to the external servers you wish to use
What firewall rules are germane to the setup for the pihole and users
What DNS rules are germane to the setup for the pihole and users.

In other words, configuring the pi-hole may be the easy part.
I tried using pi-hole once, and the family got upset real fast when it worked in broken fashion or not at all and I couldnt afford to play at it anylonger.
So looking for the config snippets for all pi-hole related entries, and a schematic to show the concept of how it fits into the network

I give the Pi a static IP via IP>DHCP>Leases.
Inside IP>DHCP>Networks, simply insert said static IP into the DNS field for that particular DHCP server/network. Clients will automatically grab it.

You don't need to manually IPv6 Link-local. LAN devices will send and receive AAAA just fine over the IPv4 local subnet via Pi-Hole. As long as the Pi-Hole has proper IPv6 config straight from SLAAC/RADVD from the Tik and can reach external IPv6 servers.
The end.

The rest is in the official Pi-Hole config. As stated, I use cloudflared binary+Pi-Hole which I already linked above.

anav · Mon Oct 19, 2020 1:13 am

So if I put the pi-hole on its own VLAN
give it a fixed IP.
I then put that IP address for each of my vlan dhcp-server-network entries?
Do I need firewall rules to allow the pi-hole anything specific on teh input chain?
Do I need firewall rules to allow users from all other vlans to the pi-hole vlan in the forward chain?
If pi-hole isnt working then how will the user then get service (simply put in a second DNS entry there of 1.1.1.1 ) for example assuming order is important and works.

DarkNate · Mon Oct 19, 2020 1:51 am

So if I put the pi-hole on its own VLAN
give it a fixed IP.
I then put that IP address for each of my vlan dhcp-server-network entries?
Do I need firewall rules to allow the pi-hole anything specific on teh input chain?
Do I need firewall rules to allow users from all other vlans to the pi-hole vlan in the forward chain?
If pi-hole isnt working then how will the user then get service (simply put in a second DNS entry there of 1.1.1.1 ) for example assuming order is important and works.

I haven't used VLANs, can't help you there.
Default firewall rules are enough for bridge config. The order makes no difference from my testing, not on MikroTik at least in regards to DNS IPs inside the DHCP server. The point is to ensure Pi-Hole is stable for 24/7 use.

maxslug · Sun Nov 15, 2020 11:31 pm

Thanks IYARINDRA, I switched over to Google's DOH server and used your scripts.

patrickmkt · Wed Nov 18, 2020 9:36 pm

Has someone figure out how to get proper CRL download while using DoH?

I am still having the "DoH sever connection error: SSL: handshake failed: unable to get certificate CRL"

storrgie · Fri Dec 04, 2020 2:29 am

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""

Are you aware of a way to do this that doesn't import over 100 certificates?

Sorry, rephrase, I don't think that in 7b1,7b2,7b3 that this has worked. With all of these certificates, verification won't work.

Sob · Fri Dec 04, 2020 2:53 am

Are you aware of a way to do this that doesn't import over 100 certificates?

This one is enough: https://cacerts.digicert.com/DigiCertGl ... CA.crt.pem

Edit: It doesn't work for me with v7 either (v6 works fine).

storrgie · Fri Dec 04, 2020 4:10 pm

Edit: It doesn't work for me with v7 either (v6 works fine).

Right, wanted Normis to see this.

silencio · Thu Dec 17, 2020 1:43 pm

any tutorial for cleanbrowsing? I tried all the scripts and none of them worked for me. I have no way to enable DoH.

Thank you very much in advance. Best regards.

bitomaxsp · Fri Jan 22, 2021 1:46 pm

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""

These steps are correct. But i had and issue where i had Use Peer DNS and Use Peer NTP set. Please check that those are unchecked. Otherwise router will use peer (provider in my case) DNS and NTP (this influence certificate check)

jr0dd · Sat Feb 13, 2021 8:59 pm

I'm constantly getting my logs flooded with max concurrent queries. I have increased max-concurrent-queries and max-concurrent-tcp-sessions, but still get the errors. Any suggestions would be greatly appreciated.

log
10:47:56 dns,warning DoH max concurrent queries reached, ignoring query

dns settings

[admin@RB3011UiAS] > ip dns print
                      servers: 
              dynamic-servers: 
               use-doh-server: https://1.1.1.1/dns-query
              verify-doh-cert: yes
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 250
  max-concurrent-tcp-sessions: 100
                   cache-size: 2048KiB
                cache-max-ttl: 1w
                   cache-used: 460KiB

msatter · Sat Feb 13, 2021 9:17 pm

Decrease maximum concurrent queries. It limits, so TCP can keep up.

Note · Tue Feb 16, 2021 3:17 pm

Im still looking for a fix, for.............."doh server connection error network is unreachable" issue.

Any news? Im on 6.47.8 stable.

Note · Wed Feb 24, 2021 10:11 am

I did a workaround that works great the last few days with 0 disconnections. I do not know if it is a coincidence, thats why i share my configuration, so u can all test it. The changes are that i changed the queries to 200, the sessions to 50 and i set the name to regexp in static dns entry.

/ip dns
set allow-remote-requests=yes cache-max-ttl=1d max-concurrent-queries=200
max-concurrent-tcp-sessions=50 servers=1.1.1.1,1.0.0.1
use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 regexp=cloudflare-dns
add address=104.16.249.249 regexp=cloudflare-dns

Check here after..................... https://1.1.1.1/help

AlexanderWhite · Wed May 12, 2021 6:19 pm

Hey there,
I've tried to figure out what shall I do to make mikrotik work with DoH OpenDNS service.
They say we shall use next two IP addresses as DoH servers - 208.67.222.222 and 208.67.220.220
But, if we check their certificate with
echo | openssl s_client -showcerts -servername doh.familyshield.opendns.com -connect doh.opendns.com:443 2>/dev/null | openssl x509 -inform pem -noout -text
we'll see the next alternative names:
X509v3 Subject Alternative Name:
DNS:doh.opendns.com, IP Address:146.112.41.2, IP Address:2620:119:FC:0:0:0:0:2, DNS:doh.familyshield.opendns.com, IP Address:146.112.41.3, IP Address:2620:119:FC:0:0:0:0:3, DNS:doh.sandbox.opendns.com, IP Address:146.112.41.4, IP Address:2620:119:FC:0:0:0:0:4, DNS:doh.umbrella.com, IP Address:146.112.41.5, IP Address:2620:119:FC:0:0:0:0:5

So, I supposed that the problem with "DoH server connection error: SSL internel error" come from the fact that they haven't added their addresses (208.67.222.222 and 208.67.220.220) to the certificate. And when I configured my mikrotik to use the next url - https://146.112.41.2/dns-query
everything started to work.

Am I right or I am right ? :)

Ishtiaque · Tue Jun 29, 2021 1:34 am

Follow these steps exactly:

./ip dns set servers=1.1.1.1,1.0.0.1
./system ntp client set enabled=yes server-dns-names=time.cloudflare.com
./tool fetch url=https://curl.haxx.se/ca/cacert.pem
./certificate import file-name=cacert.pem passphrase=""
./ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
./ip dns set servers=""

Certificate Import not supporting ..........
cannot find host name ............
its error all over :D

ccnnorthcali · Wed Jul 14, 2021 10:24 pm

Certificate Import not supporting ..........
cannot find host name ............
its error all over :D

use /tool fetch url=https://curl.se/ca/cacert.pem and it should work

swa69er · Sat Sep 18, 2021 6:09 pm

what is the difference between
1 certificate
https://cacerts.digicert.com/DigiCertGl ... CA.crt.pem

100000 certificate

https://curl.haxx.se/ca/cacert.pem

I have 3 router using only 1
but 1 other is not working so I have to use 100+ cert

Ishtiaque · Sun Sep 19, 2021 5:32 pm

Certificate Import not supporting ..........
cannot find host name ............
its error all over
use /tool fetch url=https://curl.se/ca/cacert.pem and it should work

Yes
and Thanks Dude its great and worked for me

vatokale · Mon Sep 27, 2021 9:47 pm

does https://8.8.8.8/dns-query or https://8.8.4.4/dns-query work as a direct doh server?

Ishtiaque · Sat Oct 02, 2021 11:32 pm

does https://8.8.8.8/dns-query or https://8.8.4.4/dns-query work as a direct doh server?

yas

DoubleDB · Tue Oct 05, 2021 9:47 am

Okay... has anything been done about the total instability of DoH ?
My DNS completely disappears every 15-20 minutes. Tried everything I could think of - nothing helped......

Jotne · Tue Oct 05, 2021 10:01 pm

Have you tried another DoH provider?

Ishtiaque · Wed Oct 06, 2021 12:13 am

Okay... has anything been done about the total instability of DoH ?
My DNS completely disappears every 15-20 minutes. Tried everything I could think of - nothing helped......

Please post your DOH config
you can upload imager or
configuration script in text ...

tommix · Sat Jan 01, 2022 1:55 am

Created account just to tell how pathetic MikroTik looks. Please look at ASUS routers how it should be done. RouterOS is not OS it's a notepad...where you have to do all the programming and scripting... It's sad to see how people strugiling to get shit done in Mikrotik. I was looking for new router..was thinking about Mikrotik, im from Lithuania, Latvia is neighbor... it's good to support neighbor but god damn.. this os SUCKS! People spending their LIFE on looking for fixed, hacks and pathes to get such BASIC features!
Very crappy implementation! Stupid to download certificates, stupid to not have few DNS options if one fails (thei never fail, routerOS only fails).... RouterOS is a mess. I was reading many many forums and post and i dont want to hve anything to do with it. If os dont have BASIC features..how can anyone trust anything more complicated?

own3r1138 · Sun Jan 02, 2022 8:31 pm

ASUS

lol

own3r1138 · Sun Jan 02, 2022 8:33 pm

Okay... has anything been done about the total instability of DoH ?
My DNS completely disappears every 15-20 minutes. Tried everything I could think of - nothing helped......

Did you set an NTP Client?

Mairis · Mon Feb 07, 2022 3:42 pm

RouterOS 7.1.1
----------------------
## copy Certificate from Internet
/tool fetch url=https://cacerts.digicert.com/DigiCertGl ... CA.crt.pem
## add Certificate to Mikrotik
/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=””
## verify [optional] *winbox gui >> System/Certificate
/certificate print
## Add Cloudflare DoH
/ip dns set use-doh-server=https://1.0.0.1/dns-query verify-doh-cert=yes
## disable static DNS servers
/ip dns set servers=""
## delete DNS cache [optional]
/ip dns/ cache/ flush
--------------------------------------------------------------------------------------------------------------------------
--- [Check what have you done] ----
https://1.1.1.1/help (Using DNS over HTTPS (DoH) - Yes)
*winbox gui >> Log (Verify for errors...)

mke · Fri Mar 04, 2022 8:05 am

DoH working for me in 7.2rc4. Things I discovered troubleshooting what may or may not have been issues:

Cloudflare's test at https://1.1.1.1/help only tells you if you are using Cloudflare's own DoH, same with NextDNS test at https://test.nextdns.io.

Simplest way to test is torch your wan interface to see if requests are going via https to relevant 4 or 6 dns IPs, eg 1.1.1.1, 8.8.8.8 etc

I believe I had better luck importing the certificates I needed individually rather than the whole mozilla bundle, although I wasn't scientific about this and I don't see why it would make a difference. The ones I used for testing different providers were:

https://pki.goog/repo/certs/gtsr1.pem #google (all 4 required)
https://pki.goog/repo/certs/gtsr2.pem
https://pki.goog/repo/certs/gtsr3.pem
https://pki.goog/repo/certs/gtsr4.pem
https://cacerts.digicert.com/DigiCertGl ... CA.crt.pem # cloudflare / quad9
https://search.censys.io/certificates/4 ... a9ad7a/pem #nextdns

Not sure why but I think sntp helps, or at least I seemed to have less issues after adding the client? In Ros7 the command is different to what is listed earlier in this thread.

Make sure to disable any peer DNS on DHCP clients.

Eg working config for cloudflare:

/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=""

/system ntp client set enabled=yes servers=time.cloudflare.com

/ip dns set servers=""

/ip dns static add name=cloudflare-dns.com address=1.1.1.1
/ip dns static add name=cloudflare-dns.com address=1.0.0.1
/ip dns static add name=cloudflare-dns.com address=2606:4700:4700::1111
/ip dns static add name=cloudflare-dns.com address=2606:4700:4700::1001

/ip dns set verify-doh-cert=yes use-doh-server=https://cloudflare-dns.com/dns-query

/ip dhcp-client set 0 use-peer-dns=no
/ipv6 dhcp-client set 0 use-peer-dns=no

evbocharov · Sat Mar 05, 2022 8:36 am

rb4011 - Ros 7.1.3 and 7.2rc4
If use config by mke kernel panic.
Conf by Mairis - OK, but not all correct.
Make a new conf

## Static DNS servers - must be for resolve the DoH hostname
/ip dns set servers=1.1.1.1

## copy Certificate from Internet
/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem

## add Certificate to Mikrotik
/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=""

## Add Cloudflare DoH
/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes

## delete DNS cache 
/ip dns/ cache/ flush

##Check in your browser:
https://www.cloudflare.com/ssl/encrypted-sni/

Anybody know config for a Mullvad?
Thank you

madgrok · Sat Jun 04, 2022 2:32 pm

I'm constantly getting my logs flooded with max concurrent queries. I have increased max-concurrent-queries and max-concurrent-tcp-sessions, but still get the errors. Any suggestions would be greatly appreciated.

log
10:47:56 dns,warning DoH max concurrent queries reached, ignoring query

dns settings
Code: Select all
[admin@RB3011UiAS] > ip dns print
                      servers: 
              dynamic-servers: 
               use-doh-server: https://1.1.1.1/dns-query
              verify-doh-cert: yes
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 250
  max-concurrent-tcp-sessions: 100
                   cache-size: 2048KiB
                cache-max-ttl: 1w
                   cache-used: 460KiB

Do you use domain names in your address list? If the list is large, RoS will send many requests to the DNS server until it has processed the entire list of domains.

P.S. English is not my native language, so please be kind to my mistakes. )

marcelofares · Fri Jun 10, 2022 5:38 pm

I have the same problem but using OPENDNS as my DNS server

I'm these rules for OPENDNS - https://<CENSORED>/mikrotik-dns-over-https-doh.html

Any tips to resolve this?

rextended · Fri Jun 10, 2022 6:02 pm

@marcelofares your published url it's just to make money with other advertising?

marcelofares · Fri Jun 10, 2022 6:56 pm

Here is the correct Url from which I followed the steps for deploying OPEN DNS over DOH:
https://<CENSORED>/mikrotik-dns-over-https-doh.html

rextended · Fri Jun 10, 2022 7:05 pm

Again?

Want to give me a Gift ?
PayPal paypal.me/dfghdfghd
Saweria saweria.co/dfghdfghdfgh
Bitcoin asdfasdfasdfa

Publish the resulting script, not the URL or the AD...

marcelofares · Fri Jun 10, 2022 7:08 pm

This is the configuration that I used for OPENDNS.
It's exactly the print screen of the censored site:

rextended · Fri Jun 10, 2022 7:15 pm

And on your System / Certificates what is present?

marcelofares · Fri Jun 10, 2022 7:22 pm

Just this certificate:

rextended · Fri Jun 10, 2022 7:29 pm

Is the same Cert for Cloudflare https://1.1.1.1/dns-query

Test changing the string to https://208.67.222.222/dns-query

marcelofares · Fri Jun 10, 2022 9:34 pm

Is the same Cert for Cloudflare https://1.1.1.1/dns-query

Test changing the string to https://208.67.222.222/dns-query

I think it solved. The errors logging stopped appearing. I just really hope I'm using DOH.

rextended · Fri Jun 10, 2022 9:59 pm

You simply change DNS to IP?

marcelofares · Fri Jun 10, 2022 11:11 pm

You simply change DNS to IP?

The errors that were generated by the logging decreased, but I just received this alert by email.
Would it have something to do with Hotspot?

Znevna · Fri Jun 10, 2022 11:49 pm

Until Docker support will be back so that you can run a decent DoH client, I'd say to stay away from using it and run your DNS on another box with AdGuardHome or whatever.
Less headaches.

own3r1138 · Sat Jun 11, 2022 12:41 am

@Znevna
DOH is working fine.

2022-06-11_02-05-26.jpg

marcelofares · Sat Jun 11, 2022 2:33 am

Is there anything I can do to resolve this issue?

own3r1138 · Sat Jun 11, 2022 4:27 am

@marcelofares
Try to import the complete chain of trust (Root, Intermediates) certificates needed for the HTTPS communication with your DOH server.

2022-06-11_05-28-01.jpg

CLI

/certificate settings
set crl-download=yes crl-store=system crl-use=yes
/ip dns
set allow-remote-requests=yes use-doh-server="https://doh.opendns.com/dns-query" verify-doh-cert=yes
/ip dns static
add address=146.112.41.2 name=doh.opendns.com
add address=2620:119:fc::2 name=doh.opendns.com type=AAAA
/system clock
set time-zone-name=" "
/system logging
add prefix=DNS---> topics=dns,!packet
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.cloudflare.com

DOH servers

IP Address=146.112.41.2
DNS Name=doh.opendns.com
IP Address=2620:0119:00fc:0000:0000:0000:0000:0002
DNS Name=doh.familyshield.opendns.com
IP Address=146.112.41.3
IP Address=2620:0119:00fc:0000:0000:0000:0000:0003
DNS Name=doh.sandbox.opendns.com
IP Address=146.112.41.4
IP Address=2620:0119:00fc:0000:0000:0000:0000:0004
DNS Name=doh.umbrella.com
IP Address=146.112.41.5
IP Address=2620:0119:00fc:0000:0000:0000:0000:0005

Cisco OpenDNS certificates chain of trust

doh-opendns-com-chain.zip

Walkthrough Mozi://a
Virustotal scan of attachments

marcelofares · Sat Jun 11, 2022 1:11 pm

I saw that you did not configure the Cisco DNS servers in this attached field. Is it necessary to configure or is it optional?
I'll test your tip above anyway and let you know

own3r1138 · Sat Jun 11, 2022 2:00 pm

@marcelofares
I added the static A/AAAA records required for "https://doh.opendns.com" it should resolve the name query without any future requirements. When both DNS and DOH are configured DOH has a higher priority than DNS. However, I would recommend a typical DNS server too.

marcelofares · Sat Jun 11, 2022 5:41 pm

@marcelofares
I added the static A/AAAA records required for "https://doh.opendns.com" it should resolve the name query without any future requirements. When both DNS and DOH are configured DOH has a higher priority than DNS. However, I would recommend a typical DNS server too.

Your configuration is working 100%
Only two things I wanted to point out.

1 - The CISCO OPENDNS certificate has only 380 days of validity, and my concern is to know, how to renew after it expires?

2 - I didn't add any static AAAA IPV6 entries because we don't use this protocol, just IPV4 and everything is working this way.

3 - When using DOH, is it necessary to create a rule in the filter table of the Firewall, to prevent someone from trying to consult another DNS server? As we already do with queries on UDP and TCP ports 53.

Sob · Sat Jun 11, 2022 6:44 pm

You shouldn't need intermediate certificates, they are sent by server. And no, you can't easily block other DoH servers, because they use port 443, same as https used by web. So you can block it, but you'll basically block most of what users see as internet.

marcelofares · Sat Jun 11, 2022 6:54 pm

You shouldn't need intermediate certificates, they are sent by server. And no, you can't easily block other DoH servers, because they use port 443, same as https used by web. So you can block it, but you'll basically block most of what users see as internet.

You mean if I enable DOH on my network, but someone smarter tries to change their workstation's default DNS, they'll be able to change their queries to another DNS server? If so, from a security point of view, this is terrible.

Znevna · Sat Jun 11, 2022 7:03 pm

That's what DoH (and others similar) was created for, so you don't spy/track/hijack your clients DNS requests.

Sob · Sat Jun 11, 2022 7:10 pm

Exactly, that's what happens, action and reaction, too many people were sticking their noses in someone else's DNS queries, so someone else came up with solution that prevents it (DoH).

marcelofares · Sat Jun 11, 2022 7:32 pm

That's what DoH (and others similar) was created for, so you don't spy/track/hijack your clients DNS requests.

Yes, that's exactly what DOH is used for, to avoid spying on the vulnerable DNS protocol itself, however, at the same time that DOH avoids this, someone connecting within my local network can change the DNS on their computer local to another, and exit, and skip the filter control. I mean filtering via DNS with OPENDNS or other servers that provide content filtering and blocking, do you understand this point? That's why I asked if there is any way to prevent someone from within your local network from changing the name resolutions of your default DNS server to another with DOH, in order to bypass the default DNS server filter defined on the router.

Znevna · Sat Jun 11, 2022 7:40 pm

Yes, you move around the house with a baseball bat and stare angry at intruders that dare to bypass your restrictions.
Or you stop relying on DNS alone as a content filter solution.

inteq · Sat Jun 11, 2022 7:47 pm

That's what DoH (and others similar) was created for, so you don't spy/track/hijack your clients DNS requests.

While at the same time most DoH "supporters" use cloudflare, google and Co servers. The mothers of all spies.
DoH is a stupid idea.