MikroTik

Hi guys,

I am running a RB5009 with 7.11.2 RouterOS. This is my current DNS server using the internal DNS server provided by Mikrotik.

I decided to move to DoH in order to secure my DNS queries and all was going well at the beginning, using https://1.1.1.1/dns-query as main DoH Server.

A couple of days later, I saw some errors in my docker containers running in a Synology NAS. Some containers failed to resolve an internal static DNS set in Mikrotik (server.lan). This hostname points to 192.168.1.25 and it was working like a charm until I activated DoH.

As far as I discovered, these containers are using IPV6 DNS queries somehow and before activating DoH Mikrotik was able to resolve that static hostname but it can not once I set DoH.

I did a test setting a TYPE AAAA entry in static to the same 192.168.1.25 and it worked but it does nt have any sense because Mikrotik could resolve this before without it.

Do you know what could happen? Could be a bug activating DoH?

Regards

Nobody has idea?

Yes:
You haven't read the manual,
or if you have, you've only done so superficially,
or you haven't read it a second time to find out why you think it doesn't work as expected.

From the manual:
RouterOS prioritizes DoH over the DNS server if both are configured on the device.

BTH is only in RouterOS BETA versions for now. 7.11.2 is not a beta

BTH is only in RouterOS BETA versions for now.
7.11.2 is not a beta

Sorry, what???

Posted in the wrong browser tab Ignore my message

wrong browser tab

Too much work!!!

Yes:
You haven't read the manual,
or if you have, you've only done so superficially,
or you haven't read it a second time to find out why you think it doesn't work as expected.

From the manual:
RouterOS prioritizes DoH over the DNS server if both are configured on the device.

DoH is priorized, that is clear but it is not related with my issue as far as i can understand. I mean If I use DNS for upstream, IPV6 DNS queries can resolve the DNS local entries TYPE A in my static table but If I activate DoH for upstream...same static domains can not be resolved, only if I set a new TYPE AAAA entry pointing to the IPV4.

Case you metioned is when you have DoH and DNS upstream at the same time, isn´t it? That is not my case, I only use static DNS table in Mikrotik.

Hi,

Hi guys, it was working like a charm until I activated DoH.

coincidence?
if "disable-ipv6: no"
try setting AAAA to a local IPv6 address (server.lan ... fe80:: ...)
then it will make sense
or set disable-ipv6: yes

I tried it.

Nothing changes having IPV6 enabled or disabled. Same behaviour.

As far as I can see some containers are launching DNS with IPV6 format since the beginning. Until I have not had DoH activated, MIkrotik DNS could resolve those queries with a simple TYPE A record in the static entries.Once activated DoH, same IPV6 DNS queries do not resolve.

Rare...no idea.

You still not understand what is present on the manual...

From the manual:
RouterOS prioritizes DoH over the DNS server if both are configured on the device.

So, if you are not able to not understand that,
server.lan is not present on DoH server, so you can not solve it because
RouterOS prioritizes DoH over the DNS server if both are configured on the device.
and also because server.lan is not a valid DNS domain inside signed DoH.

Hi mate,

That would have sense but I do not agree with yout approach. Take this line into account from my initial post (if you have read it):

I did a test setting a TYPE AAAA entry in static to the same 192.168.1.25 and it worked but it does nt have any sense because Mikrotik could resolve this before without it.

So local DNS is working somehow with DoH activated but only with TYPE AAAA records.

Regards

It's your time, do as you please.

It's your time, do as you please.

As i understand there are no other configured DNS servers, only DoH.
Clearly static DNS entries should be prioritized over DoH or other (non-local) DNS servers (otherwise there is no point in having static DNS). And indeed that is the case.

internal static DNS set in Mikrotik (server.lan)

what type of static entry do you use? According to https://help.mikrotik.com/docs/display/ROS/DNS DoH is not compatible with FWD.

It's your time, do as you please.

As i understand there are no other configured DNS servers, only DoH.
Clearly static DNS entries should be prioritized over DoH or other (non-local) DNS servers (otherwise there is no point in having static DNS). And indeed that is the case.

This was my point of view what i tried to explain. In fact, this line in the documentation confirms that static DNS is working with DoH activated:

Note that you need at least one regular DNS server configured for the router to resolve the DoH hostname itself. If you do not have any dynamical or static DNS server configured, add a static DNS entry for the DoH server domain name like this:

internal static DNS set in Mikrotik (server.lan)

https://help.mikrotik.com/docs/display/ROS/DNS [/url] DoH is not compatible with FWD.

A simple TYPE A pointing to 192.168.1.25.

Instead of this, using DoH, creating TYPE AAAA register pointed to the same IPV4: 192.168.1.25 works perfectly. No sense. This behaviour obligates to duplicate all static entries in the LAN with TYPE AAAA which is not a good idea...

/system logging
add topics=dns

and look at the logs

/system logging
add topics=dns

and look at the logs

Really good idea.

As far as I saw at the logs:

1.- DoH activated

Router receives DNS query in TYPE AAAA (IPV6) so it returns "error"

2.- DNS activated (no DoH)

Router receives DNS query in TYPE A (IPV4) so it returns "no error" and the segment with DNS resolution data correctly.

It is quite "rare" because the containers which are launching those queries should not know about which option is activated in routeros (DoH or DNS) due to they have a DNS server configured to the Router IP. How can they change the query from TYPE A to TYPE AAAA depending on DoH or DNS activated?. Maybe something wrong in Mikrotik side processing DNS requests?

If I don’t like how some functionality works or the lack of it in MT, I add, for example, Raspberry Pi.
For example, for DNS I use DoT on RPI and send legacy MT DNS queries to it.

If I don’t like how some functionality works or the lack of it in MT, I add, for example, Raspberry Pi.
For example, for DNS I use DoT on RPI and send legacy MT DNS queries to it.

That is something I was thinking. Maybe DoH is not the best solution in Mikrotik now.