Skip to content

Instantly share code, notes, and snippets.

@marfillaster

marfillaster/README.md

Last active May 11, 2026 00:21
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save marfillaster/d34bd199b9e265ccd74af6d31fd9df85 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save marfillaster/d34bd199b9e265ccd74af6d31fd9df85 to your computer and use it in GitHub Desktop.
Download ZIP
MikroTik RouterOS v7: DoH + ULA DNS via IPv6 RA RDNSS
Raw
README.md

MikroTik RouterOS v7: DoH + IPv6 RA RDNSS with ULA DNS

Self-contained paste for a RouterOS v7 LAN that already has IPv6 SLAAC working. It makes the router the LAN DNS resolver, sends upstream DNS through Cloudflare DoH, advertises the router's ULA as DNS via RA RDNSS, and stops DHCPv4 from advertising 192.168.88.1 as DNS while keeping admin@192.168.88.1 management working.

DNS companion/update for: https://gist.github.com/marfillaster/a80d378124db0d879a962ce73d31b345

Replace:

  • <LAN_BRIDGE> with your LAN bridge, usually bridge
  • <LAN_GUA> with the router's LAN GUA, for example 2001:db8:1:1::1
  • <LAN_ULA> with the router's LAN ULA, for example fd96:7d0b:7dc2:1::1
# Import CA roots before enabling DoH.
/tool/fetch url=https://curl.se/ca/cacert.pem dst-path=cacert.pem
/certificate/import file-name=cacert.pem passphrase=""

# Router DNS resolver + Cloudflare DoH.
/ip dns
set allow-remote-requests=yes \
    max-concurrent-queries=200 \
    use-doh-server=https://cloudflare-dns.com/dns-query \
    verify-doh-cert=yes

# DoH endpoint bootstrap + local router name.
/ip dns static
add address=104.16.248.249       name=cloudflare-dns.com comment="DoH bootstrap"
add address=104.16.249.249       name=cloudflare-dns.com comment="DoH bootstrap"
add address=2606:4700::6810:f8f9 name=cloudflare-dns.com type=AAAA comment="DoH bootstrap"
add address=2606:4700::6810:f9f9 name=cloudflare-dns.com type=AAAA comment="DoH bootstrap"
add address=<LAN_GUA>            name=router.lan type=AAAA
add address=<LAN_ULA>            name=router.lan type=AAAA comment="LAN ULA"

# Add stable LAN ULA and advertise only the ULA as DNS via RA RDNSS.
/ipv6 address
add address=<LAN_ULA>/64 advertise=yes interface=<LAN_BRIDGE> comment="ULA - RFC 4193"

/ipv6/nd
add interface=<LAN_BRIDGE> \
    dns=<LAN_ULA> \
    advertise-dns=yes \
    managed-address-configuration=no other-configuration=no \
    ra-interval=20s-200s

# Stop DHCPv4 from advertising 192.168.88.1 as DNS.
# This does not remove 192.168.88.1 from the bridge.
/ip dhcp-server network
set [find address=192.168.88.0/24] dns-none=yes

Test on the router:

:put [:resolve "cloudflare.com"]
/log/print where message~"DoH|dns"

Test on macOS:

scutil --dns | grep -i 'nameserver\['
dig @<LAN_ULA> cloudflare.com
dig @<LAN_ULA> ipv6.google.com AAAA

Expected macOS DNS:

nameserver[0] : <LAN_ULA>

192.168.88.1 should no longer appear as DNS after the Mac renews DHCP or Wi-Fi reconnects.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment