MikroTik DNS-over-HTTPS via Google.DNS 8.8.8.8

MikroTik DNS-over-HTTPS via Google.DNS 8.8.8.8

Nikita Tarikin <nikita@tarikin.com>

RouterOS 6.47 is just out with the new great DNS-over-HTTPS feature (DoH).

MikroTik can now protect your online activity by encrypting your DNS traffic.

DNS over HTTPS is a protocol for performing remote Domain Name System resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. Wikipedia

This code will switch your MikroTik router to use Google DNS-over-HTTPS DoH servers and makes a transparent-dns-proxy for all unencrypted UDP 53 traffic for your LAN network.

Apply this script on your test router with default configuration first!


Download and install GlobalSignRoot CA certificate

/tool fetch https://pki.goog/gsr2/GSR2.crt check-certificate=no
/certificate import file-name="GSR2.crt" passphrase="" name="GlobalSignRootCAR2.crt"


Set static DNS records for dns.google name

/ip dns static add type=A address=8.8.8.8 name=dns.google ttl=1h
/ip dns static add type=A address=8.8.4.4 name=dns.google ttl=1h
/ip dns static add type=AAAA address=2001:4860:4860::8888 name=dns.google ttl=1h
/ip dns static add type=AAAA address=2001:4860:4860::8844 name=dns.google ttl=1h


Change DNS servers

/ip dns set servers=
/ip dns set use-doh-server="https://dns.google/dns-query" verify-doh-cert=yes


Transparent proxy all DNS queries from your LAN through your router towards DoH servers / put this rule on top

/ip firewall nat add chain=dstnat protocol=udp dst-port=53 in-interface-list=LAN action=redirect comment="Transparent proxy all DNS queries from your LAN"


Full script MikroTik-DOH-GoogleDNS.rsc

## Google DNS-over-HTTPS DoH script
## Apply this script on your default configuration LAB router first
## RouterOS 6.47++
## Credits Nikita Tarikin <nikita@tarikin.com>
## 03.06.2020

# Check for valid installed certificate
:do {
    :do {/tool fetch https://pki.goog/gsr2/GSR2.crt check-certificate=no} \
        while=([/file print count-only where name="GSR2.crt"]=0);
    :do {/certificate import file-name="GSR2.crt" passphrase="" name="GlobalSignRootCAR2.crt"} \
        while=([/certificate print count-only where name="GlobalSignRootCAR2.crt"]=0);
    :do {
        # Set static DNS records for dns.google name
        /ip dns static add type=A address=8.8.8.8 name=dns.google ttl=1h
        /ip dns static add type=A address=8.8.4.4 name=dns.google ttl=1h
        /ip dns static add type=AAAA address=2001:4860:4860::8888 name=dns.google ttl=1h
        /ip dns static add type=AAAA address=2001:4860:4860::8844 name=dns.google ttl=1h

        # Change DNS servers
        /ip dns set servers=
        /ip dns set use-doh-server="https://dns.google/dns-query" verify-doh-cert=yes

        # Transparent proxy all DNS queries from your LAN through your router towards DoH servers / put this rule on top
        :do {/ip firewall nat add chain=dstnat protocol=udp dst-port=53 in-interface-list=LAN action=redirect comment="Transparent proxy all DNS queries from your LAN"} \
            if=([/ip dns get allow-remote-requests]=yes)
    } while=([/certificate print count-only where fingerprint="ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e"]=0);
} if=([/certificate print count-only where name="GlobalSignRootCAR2.crt"]=0);

Full list of well-known DNS-over-HTTPs service providers in this list

https://github.com/curl/curl/wiki/DNS-over-HTTPS


Related links:

MikroTik DNS-over-HTTPS via CloudFlare


Thank you!

https://t.me/tropicalengineer

https://www.tarikin.com