Setup Cloudflare as a DoH (DNS over HTTPS) resolver on Mikrotik devices (RouterOS v7.0.2+)

doh

# Temporarily add a normal upstream DNS resolver
/ip dns set servers=1.1.1.1,1.0.0.1

# CA certificates extracted from Mozilla
/tool fetch url=https://curl.se/ca/cacert.pem

# Import the downloaded ca-store (127 certificates)
/certificate import file-name=cacert.pem passphrase=""

# Set the DoH resolver to cloudflare
/ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes

# Remove the old upstream DNS resolvers
/ip dns set servers=""

# Delete the certificate file
/file remove cacert.pem

# OPTIONAL - Disable DDNS
/ip dhcp-client set use-peer-dns=no  # Enter 0 as a number if it asks you
# If you are connection over LTE (for exmaple with a chateau)
/interface lte apn set use-peer-dns=no  # Enter 0 as a number if it asks you
# Verify, that DynDNS is disabled
/ip dns print

nice

I was looking for a link to the certificate. Thanks!

Thanks!

thx

FYI: The title states that this works on RouterOS v7.0.2+, but it should be RouterOS v6.47+.

LOG: unsupported CRL protocol for URL: ldap://directory.d-trust.net/CN=D-TRUST%20BR%20Root%20CA%201%202020,O=D-Trust%20GmbH,C=DE?certificaterevocationlist

You are the man!

Ty, works nice!

P.S.
maybe useful for checks

https://one.one.one.one/help/

Thanks, any idea how frequently the certs must be reinstalled?

@PablexXXXX The CA cert is most likely never going to change as it is the trust anchor for verifying other certificates. Therefore, the CA certificate is expected to remain the same for a long time. Many embedded devices can't even be easily updated. So I wouldn't worry