MikroTik DNS-over-HTTPS via CloudFlare
Nikita Tarikin <nikita@tarikin.com>RouterOS 6.47 is just out with the new great DNS-over-HTTPS feature (DoH).
MikroTik can now protect your online activity by encrypting your DNS traffic.
DNS over HTTPS is a protocol for performing remote Domain Name System resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. Wikipedia
This code will switch your MikroTik router to use CloudFlare DNS-over-HTTPS DoH servers and makes a transparent-dns-proxy for all unencrypted UDP 53 traffic for your LAN network.
Apply this script on your test router with default configuration first!
Download DigiCert Root CA certificate
/tool fetch https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem check-certificate=no
Install DigiCert Root CA certificate
/certificate import file-name="DigiCertGlobalRootCA.crt.pem" passphrase="" name="DigiCertGlobalRootCA.crt.pem"
Change DNS servers
/ip dns set servers= /ip dns set use-doh-server="https://1.1.1.1/dns-query" verify-doh-cert=yes
Transparent proxy all DNS queries from your LAN through your router towards DoH servers / put this rule on top
/ip firewall nat add chain=dstnat protocol=udp dst-port=53 in-interface-list=LAN action=redirect
Full script
## CloudFlare DNS-over-HTTPS DoH script ## Apply this script on your default configuration LAB router first ## RouterOS 6.47++ ## Credits Nikita Tarikin nikita@tarikin.com ## 03.06.2020 # Check for valid installed certificate :do { :do {/tool fetch https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem check-certificate=no} \ while=([/file print count-only where name="DigiCertGlobalRootCA.crt.pem"]=0); :do {/certificate import file-name="DigiCertGlobalRootCA.crt.pem" passphrase="" name="DigiCertGlobalRootCA.crt.pem"} \ while=([/certificate print count-only where name="DigiCertGlobalRootCA.crt.pem"]=0); :do { # Change DNS servers /ip dns set servers= /ip dns set use-doh-server="https://1.1.1.1/dns-query" verify-doh-cert=yes # Transparent proxy all DNS queries from your LAN through your router towards DoH servers / put this rule on top :do {/ip firewall nat add chain=dstnat protocol=udp dst-port=53 in-interface-list=LAN action=redirect} \ if=([/ip dns get allow-remote-requests]=yes) } while=([/certificate print count-only where fingerprint="4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161"]=0); } if=([/certificate print count-only where name="DigiCertGlobalRootCA.crt.pem"]=0);
Full list of well-known DNS-over-HTTPs service providers in this list
https://github.com/curl/curl/wiki/DNS-over-HTTPS
Related links:
MikroTik DNS-over-HTTPS via Google.DNS 8.8.8.8
Thank you!