MikroTik DNS-over-HTTPS via CloudFlare

MikroTik DNS-over-HTTPS via CloudFlare

Nikita Tarikin <nikita@tarikin.com>

RouterOS 6.47 is just out with the new great DNS-over-HTTPS feature (DoH).

MikroTik can now protect your online activity by encrypting your DNS traffic.

DNS over HTTPS is a protocol for performing remote Domain Name System resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. Wikipedia

This code will switch your MikroTik router to use CloudFlare DNS-over-HTTPS DoH servers and makes a transparent-dns-proxy for all unencrypted UDP 53 traffic for your LAN network.

Apply this script on your test router with default configuration first!


Download DigiCert Root CA certificate

/tool fetch https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem check-certificate=no


Install DigiCert Root CA certificate

/certificate import file-name="DigiCertGlobalRootCA.crt.pem" passphrase="" name="DigiCertGlobalRootCA.crt.pem"


Change DNS servers

/ip dns set servers=
/ip dns set use-doh-server="https://1.1.1.1/dns-query" verify-doh-cert=yes


Transparent proxy all DNS queries from your LAN through your router towards DoH servers / put this rule on top

/ip firewall nat add chain=dstnat protocol=udp dst-port=53 in-interface-list=LAN action=redirect


Full script

## CloudFlare DNS-over-HTTPS DoH script
## Apply this script on your default configuration LAB router first
## RouterOS 6.47++
## Credits Nikita Tarikin nikita@tarikin.com
## 03.06.2020

# Check for valid installed certificate
:do {
    :do {/tool fetch https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem check-certificate=no} \
        while=([/file print count-only where name="DigiCertGlobalRootCA.crt.pem"]=0);
    :do {/certificate import file-name="DigiCertGlobalRootCA.crt.pem" passphrase="" name="DigiCertGlobalRootCA.crt.pem"} \
        while=([/certificate print count-only where name="DigiCertGlobalRootCA.crt.pem"]=0);
    :do {
        # Change DNS servers
        /ip dns set servers=
        /ip dns set use-doh-server="https://1.1.1.1/dns-query" verify-doh-cert=yes

        # Transparent proxy all DNS queries from your LAN through your router towards DoH servers / put this rule on top
        :do {/ip firewall nat add chain=dstnat protocol=udp dst-port=53 in-interface-list=LAN action=redirect} \
            if=([/ip dns get allow-remote-requests]=yes)
    } while=([/certificate print count-only where fingerprint="4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161"]=0);
} if=([/certificate print count-only where name="DigiCertGlobalRootCA.crt.pem"]=0);


Full list of well-known DNS-over-HTTPs service providers in this list

https://github.com/curl/curl/wiki/DNS-over-HTTPS


Related links:

MikroTik DNS-over-HTTPS via Google.DNS 8.8.8.8


Thank you!

https://t.me/tropicalengineer

https://www.tarikin.com