MikroTik

How has been your experience with DoH? (I mean in versions prior to 7.12, since there have been some reports of problems in this version)

I did perform quite a few tests with it in the 7.11.* versions and the thing that bothered me the most was that it seemed to do all the connection shenanigans for just a single DNS query. I mean, it would establish the TCP connection, exchange the keys for TLS and all, then do what seemed to be a single DNS query over HTTPS (obviously I can't determine it exactly because the traffic is encrypted) and then immediately close the connection (FIN/ACK/etc packets). This wasn't in any synthetic scenario of a single query. This was while opening regular websites and having to resolve a bunch of DNS names at the same time. Nothing out of the ordinary.

Given this, I experienced some annoyances and some downright problems. By "annoyances", I mean poorer overall "network efficiency" and increased latency in DNS queries, and by "problems" I mean some DNS providers with support to DoH (like Google) would very often not reply to my (very frequent) TCP SYN packets in the majority of DNS requests. With Cloudflare, those TCP SYN drops were very rare though. Here, I can only speculate that Google could be rate limiting me (and I don't blame them - if I were a DNS provider with DoH, I would also rate limit clients which open new connections for every single query instead of reusing already established ones). But, to be clear, I can only speculate about some of those behaviours based on what I could observe by sniffing packets. I can't confirm Google's nor Cloudflare's behaviour. For all I know, it could be my ISP selectively dropping packets (though it would look odd), but I also have no clear evidence of that.

Can't the established connection be reused within a few seconds, at least, for subsequent DNS queries? It's crazy to think that a DNS query goes from an exchange of 2 packets over UDP to an exchange of more than a dozen of packets over TCP.

Do you guys experience any of that?

P.S.: Yes, I observed this behaviour both with the default DNS/DoH parameters as well as after appropriately (to the best of my knowledge) tweaking them. I observed the problems I described while not having any error/warning logs related to connection limits, query limits, etc.

P.S. 2: Also, yes, I know this is not a given, and that it is complex to develop such a solution. Alongside the code complexity, there are also repercussions on memory usage on all kinds of devices which need to be taken into consideration. But perhaps just hearing something on the line of "we're evaluating it" or "we are aware of it and thinking about what can be done" or "we're working on a solution already" would be awesome.

I use nextDNS and Cloudflare, have not seen any issues. Try other providers and see, maybe it's just google

I use nextDNS and Cloudflare, have not seen any issues. Try other providers and see, maybe it's just google

Same here, good experience with Cloudflare. I was evaluating nextDNS. What about it @normis?

I imagine you are subscribed for unlimited queries. 300.000/month are not enough takint into account all IoT devices. I though put in the middle AdGuard or something like that but "too much architecture".

REgards

I also have PiHole in my home network. The PiHole uses the router as "upstream DNS". RouterOS has DoH

So what happens is

1. computer asks PiHole for DNS info
2. pihole answers from cache ... if no cache, only then asks router
3. router asks DoH server

This reduces the load to the DoH. You can run PiHole in container or elsewhere

I also have PiHole in my home network. The PiHole uses the router as "upstream DNS". RouterOS has DoH

So what happens is

1. computer asks PiHole for DNS info
2. pihole answers from cache ... if no cache, only then asks router
3. router asks DoH server

This reduces the load to the DoH. You can run PiHole in container or elsewhere

That was my idea exactly. I am running AdGuard in my LAN. It is my "default" internal DNS fof all devices and AdGuard has the Mikrotik as Upstream which has configured DoH with Cloudflare. The point is to change that Cloudflare with nextDNS which I do not know if it can impact in performance or other problems inherited for using this model.

In my experience cloudflare is fastest and most reliable. I use their "family" address, that also blocks some stuff, that maybe pihole could miss
https://family.cloudflare-dns.com/dns-query

In my experience cloudflare is fastest and most reliable. I use their "family" address, that also blocks some stuff, that maybe pihole could miss
https://family.cloudflare-dns.com/dns-query

So you have device > PiHole (with lists) > Cloudflare or NexDNS as DoH?

yes

So, reusing established connections in DoH is not in the plans for RouterOS for the near future, then?

Even though I can have a "passable" experience using Cloudflare's service (the unaswered TCP SYNs are very rare, as I mentioned previously), the increased latency/poorer efficiency and the need to limit myself to DNS providers which are fine with my router's behaviour (of using a new connection for each DNS query) are not worth the gains in privacy and reliability (which theoretically would come with the usage of TCP, barring situations like the one I described) for me at the moment. But I understand that everyone has different weights/priorities in different scenarios.

Also, please don't take it as me somewhat bashing RouterOS. I'm only curious to know if any improvements are being considered in the roadmap.

I use DoH and I am mostly happy. Still want to send a notice here: Things should improve a lot when DoH is used with HTTP/3 (also named DNS-over-QUIC). In this case transport is not via TCP but UDP, ruling out some potential issues. Please implement...

Today I found out by accident that ROS supports DoT. Just use a "tls://" prefixed URL for "use-doh-server".

A lot of things are not in the docs.
Since the 7.13 I need to uncheck the checkbox to verify the certificate, otherwise no DOH works.

I even verified with sniffer. There are egress packets with dst-port 853.

A lot of things are not in the docs.
Since the 7.13 I need to uncheck the checkbox to verify the certificate, otherwise no DOH works.

As far as I have learned, you should never uncechk the certificate. There are other problem if that does not work.
I got here since I did get lots of DoH server connection error: Idle timeout - connecting using https://dns.nextdns.io/xxxxx
And the DNS was unstable.

Changed to Cloadflare and now DoH works fine:
https://gist.github.com/M0r13n/4142018e ... c6de31614c

But after the DoH are setup, should or need I remove the default 1.1.1.1 DNS.?

Well I use cloudflare, since 7.13 it worked perfectly. now it cannot verify certificate.
i tried to reimport the certificate with no avail.
no trusted certificate found.
I dont know how to resolve.


edit:

/tool fetch https://cacerts.digicert.com/DigiCertGl ... G2.crt.pem
/certificate import file-name=DigiCertGlobalRootG2.crt.pem passphrase=””

it works now 1.1.1.1

Certificate download can be little difficult.
What i do:
Disable my local firewall like Kaspersky or what you use, it can filter out all script and more...
I Use Firefox, open: https://security.cloudflare-dns.com/dns-query
Perss CTRL+I->Security->View Certificate
Download the pem of the "DigiCertGlobalRootG2" (not the chain)

More info, there are 3 different options for DNS filters: https://developers.cloudflare.com/1.1.1.1/setup/

For me this work stable for long time on my MT. (have tested others too, cloudflare was faster and most stable compared with ex. quad9...)

There is definitely no DoT support. The field just happens to accept whatever protocol you wrote there, even "test://" and what you saw in the sniffer is probably some other device that supports DoT.