Mikrotik DoH Timeout and Loss of DNS
Hello,
I have a new RB5009G Mikrotik router and having a number of issues with DNS working properly. If I switch to Cloudflare DoH or Google DoH then not timeouts or dns failures. when ND is working it is amazing, but I am finding that more and more I am getting super slow lookups (noticable in the browser) or sites timing out with no dns.
Attached is the logs, and my dns settings. You can see I maxed out the local caching to help, but when ND pukes it clears the cache locally and locks all machines up.
-
-
Please try with lower concurrent queries/tcp stream in the settings (less than 1000) and a shorter timeout (5-10s).
-
NextDNS I started with 1000 queries as that is the default and it immediatelly started to tmeout and max query replies. I also have the imeout set at 2seconds already, in the screenshot you see it is set to 2.000 (that is seconds) and that max is set to 5000.00 (seconds)
https://nextdns.io/diag/280fe770-c571-11ec-a2b9-2bb78f449e39
-
-
Thats the thing, they are like that on default and we see issues,i tried various values also and its not helping, also as other say, putting some other dns like cloudflare, no issues.
-
Can you please send a https://nextdns.io/diag
-
I also dont understand the config for mikrotik, there is no failover here, mikrotik will return first one in order, so even if one fails it want failback to other dns like this, maybe this is problem we are facing?
-
So i was talking to some people and they confirmed it to me, they way its set via static entries is wrong and it wont failover properly.I removed now static entires and entered DNS servers directly in Servers:
-
Ivica Škarec I found that when I do this it is not using DoH rather plain DNS. I noticed on the NextDNS logs page that it was showing a lower and lower % of encrypted dns this way.
-
David McDougal I have 3 accounts and 15 mikrotik routers, all show 100% encrpyted DNS. Make sure you delete static records and flush cache after you make this changes, it works properly 100%
-
-
Was also seeing this the other day, almost non stop timeouts. Had to use alternative server for a while.
Then did a ping to servers... 300ms and 100ms... initially timing out.
A traceroute shows the conn going all the way to italy for some reason! Im in South America btw.
GG and CF servers in the 20 to ms range.
EDIT: Contacting my ISP to ask about routing.
-
Chris Minor change, can see secondary sever drop to around 80ms. Better, but not great.
Have tried trace and pings from another ISP here, and see different routes being picked.
One is going over to the US and the other is connecting to local PIT. This make a big difference. 10ms vs 150ms!
Any idea how/who I an reach out to find out why? Or just random DNS RR shenanigans?
-
-
260ms is for 45.90.28.0
80ms is for 45.90.30.0
-
Are we able to hardcode the low latency servers into router settings?
-
Routes changed for dns1, 45.90.28.0.... straight to local PIT.
Down to 30ms now!
Dns2, 45.90.30.0 still at 80ms.
