MikroTik DNS-over-HTTPS via Google.DNS 8.8.8.8
Nikita Tarikin <nikita@tarikin.com>RouterOS 6.47 is just out with the new great DNS-over-HTTPS feature (DoH).
MikroTik can now protect your online activity by encrypting your DNS traffic.
DNS over HTTPS is a protocol for performing remote Domain Name System resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. Wikipedia
This code will switch your MikroTik router to use Google DNS-over-HTTPS DoH servers and makes a transparent-dns-proxy for all unencrypted UDP 53 traffic for your LAN network.
Apply this script on your test router with default configuration first!
Download and install GlobalSignRoot CA certificate
/tool fetch https://pki.goog/gsr2/GSR2.crt check-certificate=no /certificate import file-name="GSR2.crt" passphrase="" name="GlobalSignRootCAR2.crt"
Set static DNS records for dns.google name
/ip dns static add type=A address=8.8.8.8 name=dns.google ttl=1h /ip dns static add type=A address=8.8.4.4 name=dns.google ttl=1h /ip dns static add type=AAAA address=2001:4860:4860::8888 name=dns.google ttl=1h /ip dns static add type=AAAA address=2001:4860:4860::8844 name=dns.google ttl=1h
Change DNS servers
/ip dns set servers= /ip dns set use-doh-server="https://dns.google/dns-query" verify-doh-cert=yes
Transparent proxy all DNS queries from your LAN through your router towards DoH servers / put this rule on top
/ip firewall nat add chain=dstnat protocol=udp dst-port=53 in-interface-list=LAN action=redirect comment="Transparent proxy all DNS queries from your LAN"
Full script MikroTik-DOH-GoogleDNS.rsc
## Google DNS-over-HTTPS DoH script
## Apply this script on your default configuration LAB router first
## RouterOS 6.47++
## Credits Nikita Tarikin <nikita@tarikin.com>
## 03.06.2020
# Check for valid installed certificate
:do {
:do {/tool fetch https://pki.goog/gsr2/GSR2.crt check-certificate=no} \
while=([/file print count-only where name="GSR2.crt"]=0);
:do {/certificate import file-name="GSR2.crt" passphrase="" name="GlobalSignRootCAR2.crt"} \
while=([/certificate print count-only where name="GlobalSignRootCAR2.crt"]=0);
:do {
# Set static DNS records for dns.google name
/ip dns static add type=A address=8.8.8.8 name=dns.google ttl=1h
/ip dns static add type=A address=8.8.4.4 name=dns.google ttl=1h
/ip dns static add type=AAAA address=2001:4860:4860::8888 name=dns.google ttl=1h
/ip dns static add type=AAAA address=2001:4860:4860::8844 name=dns.google ttl=1h
# Change DNS servers
/ip dns set servers=
/ip dns set use-doh-server="https://dns.google/dns-query" verify-doh-cert=yes
# Transparent proxy all DNS queries from your LAN through your router towards DoH servers / put this rule on top
:do {/ip firewall nat add chain=dstnat protocol=udp dst-port=53 in-interface-list=LAN action=redirect comment="Transparent proxy all DNS queries from your LAN"} \
if=([/ip dns get allow-remote-requests]=yes)
} while=([/certificate print count-only where fingerprint="ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e"]=0);
} if=([/certificate print count-only where name="GlobalSignRootCAR2.crt"]=0);
Full list of well-known DNS-over-HTTPs service providers in this list
https://github.com/curl/curl/wiki/DNS-over-HTTPS
Related links:
MikroTik DNS-over-HTTPS via CloudFlare
Thank you!