Mikrotik has new feature on RouterOS 6.47, this version can support DNS over HTTPS ( DoH ). To use this feature follow the following steps :
But first, make sure you have updated your Mikrotik to version 6.47. If you haven't updated it yet, go to this site https://mikrotik.com/download and download RouterOS 6.47 package for your Mikrotik type ( MIPSBE, ARM64, MMIPS or others).
For DNS Google ( 8.8.8.8 and 8.8.4.4 ) :
1. Login to winbox and go to IP - DNS, click Static button on the right panel. Then add static entry for dns.google ( 8.8.8.8 and 8.8.4.4 ) :
2. Fill "Use DoH Server" with "https://dns.google/dns-query" and don't tick "Verify DoH Certificate" or copy paste these commands to new terminal :
For DNS Google ( 8.8.8.8 and 8.8.4.4 ) :
1. Login to winbox and go to IP - DNS, click Static button on the right panel. Then add static entry for dns.google ( 8.8.8.8 and 8.8.4.4 ) :
/ip dns static
add address=8.8.8.8 name=dns.google type=A
add address=8.8.4.4 name=dns.google type=A
add address=8.8.8.8 name=dns.google type=A
add address=8.8.4.4 name=dns.google type=A
2. Fill "Use DoH Server" with "https://dns.google/dns-query" and don't tick "Verify DoH Certificate" or copy paste these commands to new terminal :
/ip dns
set allow-remote-requests=yes use-doh-server=https://dns.google/dns-query
set allow-remote-requests=yes use-doh-server=https://dns.google/dns-query
3. Redirect all your DNS Connections to Mikrotik DNS or change your DNS Server in Windows ip address configuration with Mikrotik Ip address.
/ip firewall nat
add chain=dstnat action=redirect to-ports=53 protocol=udp dst-port=53
add chain=dstnat action=redirect to-ports=53 protocol=tcp dst-port=53
add chain=dstnat action=redirect to-ports=53 protocol=udp dst-port=53
add chain=dstnat action=redirect to-ports=53 protocol=tcp dst-port=53
4. Test your DNS connection with https://www.dnsleaktest.com/ and hit the Standard test button. If all test results came up with google name, that means you have succeed forward your DNS to DNS Google over HTTPS.
For CloudFlare DNS ( 1.1.1.1 ) :
1. Login to your winbox and open new terminal :
- First download the CA certificates to Mikrotik :
/tool fetch url=https://curl.haxx.se/ca/cacert.pem
- Import the certificates to Mikrotik certificates system
/certificate import file-name=cacert.pem passphrase=" "
You can also download the certificates from here https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
2. Go to IP - DNS and set Servers to 1.1.1.1 and 1.0.0.1. Then fill "Use DoH Server" with "https://dns.cloudflare.com/dns-query" and tick "Verify DoH Certificate".
4. Redirect all your DNS Connections to Mikrotik DNS or change your DNS Server in Windows ip address configuration with Mikrotik Ip address.
5. Lastly, we test the DoH Server whether it's connected or not. Open your browser then go to this web : https://1.1.1.1/help, wait until the checking finish. If the answer to "Connected to 1.1.1.1" and "Using DNS over HTTPS (DOH)" are Yes, then you're already using DoH Server on Mikrotik.
If you want to try other DNS Server, you can go to this website https://kb.adguard.com/en/general/dns-providers for complete list and look for DNS-over-HTTPS, IPv4 in each DNS Server.
/ip firewall nat
add chain=dstnat action=redirect to-ports=53 protocol=udp dst-port=53
add chain=dstnat action=redirect to-ports=53 protocol=tcp dst-port=53
add chain=dstnat action=redirect to-ports=53 protocol=udp dst-port=53
add chain=dstnat action=redirect to-ports=53 protocol=tcp dst-port=53
5. Lastly, we test the DoH Server whether it's connected or not. Open your browser then go to this web : https://1.1.1.1/help, wait until the checking finish. If the answer to "Connected to 1.1.1.1" and "Using DNS over HTTPS (DOH)" are Yes, then you're already using DoH Server on Mikrotik.
No comments:
Post a Comment