DOH MIKROTIK

https://t.me/mikrotikindo
The latest stable version of RouterOS 6.47 adds support for DNS over
HTTPS or DoH. DoH is a protocol for performing remote DNS over
HTTPS protocol. It is similar to DoT (DNS over TLS) but not exactly the
same.

In this MikroTik Tutorial I will show you how to configure DNS over
HTTPS on your MikroTik router using either Cloudflare DNS servers or
Google DNS servers.

DNS over HTTPS (DoH) is a protocol for performing remote Domain

Name System (DNS) resolution via the HTTPS protocol. A goal of the
method is to increase user privacy and security by preventing
eavesdropping and manipulation of DNS data by man-in-the-middle
attacks[1] by using the HTTPS protocol to encrypt the data between the
DoH client and the DoH-based DNS resolver.

Wikipedia DoH page

UPDATE: RouterOS v6.47 was released to the stable channel on June
2nd 2020 with DNS over HTTPS support. I used a RB4011 router running
RouterOS v6.47beta60 during testing. You will see 6.47beta60 referenced
in the screenshot below but I recommend using the stable channel.

1 Steps to Configure DNS over HTTPS on a

MikroTik Router
Time needed: 2 minutes.

1. Upgrade to RouterOS v6.47 available in the stable channel.

 DOH MIKROTIK
https://t.me/mikrotikindo
System | Packages | Check for Updates

2. Download and Import root certificates

 DOH MIKROTIK
https://t.me/mikrotikindo
/tool fetch url=https://curl.haxx.se/ca/cacert.pem
/certificate import file-name=cacert.pem passphrase=””

3. Remove DNS Servers

In winbox open IP | DNS, remove existing Servers

4. Add a static DNS entry for the DoH hostname.

IP | DNS | Static | +
Add 2 Static DNS Entries for cloudflare-dns.com to
Address: 104.16.248.249 and 104.16.249.249.
If you plan on using Google add dns.google pointing to 8.8.8.8 and
 DOH MIKROTIK
https://t.me/mikrotikindo
8.8.4.4.

5. Add providers url to “Use DoH Server” and check the box “Verify
DoH Certificate”
 DOH MIKROTIK
https://t.me/mikrotikindo
For cloudflare I added https://cloudflare-dns.com/dns-query

2 Verify that DoH is enabled and working

Cloudflare has provided a simple web status page at https://1.1.1.1/help to
verify that you have configured DNS over HTTPS properly.
 DOH MIKROTIK
https://t.me/mikrotikindo
 DOH MIKROTIK
https://t.me/mikrotikindo
3 Configure Cloudflare DNS over HTTPS resolver
The resolver url for Cloudflare is https://cloudflare-dns.com/dns-
query as show in the screenshot above.

4 Configure Google’s DNS over HTTPS resolver

The resolver url for Google is https://dns.google/dns-query as show in
the screenshot below.
 DOH MIKROTIK
https://t.me/mikrotikindo

5 Error Messages & Troubleshooting

dns, error DoH server connection error: SSL: handshake failed: unable to
get local issuer certificate (6)
 DOH MIKROTIK
https://t.me/mikrotikindo
This error is a result of not having root certificates installed to validate the
https certificate of the DNS server url.

dns, error DoH server connection error: resolving error

This error is a result of entering only an IP address in the Use DoH

Server field. It should be entered as a https:// url.

6 Enable DNS debug logging

Another way to see what is going on with dns queries on your MikroTik
router is to enable DNS logging.

7 Verify DoH is working with Torch

To verify that DoH is configured and working run torch on your WAN
interface and verify you see no udp or tcp connections to DNS port 53. In
my configuration to cloudflare I can see multiple https connection to
1.1.1.1.
 DOH MIKROTIK
https://t.me/mikrotikindo

Now you have DNS over HTTPS configured on your MikroTik Router. I
hope you have enjoyed this howto article,