-
Notifications
You must be signed in to change notification settings - Fork 124
/
[Cloudflare] Configuring DoH Server on MikroTik RouterOS 7.8 (with certificates).txt
56 lines (34 loc) · 1.71 KB
/
[Cloudflare] Configuring DoH Server on MikroTik RouterOS 7.8 (with certificates).txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Encrypt your DNS requests with MikroTik (RouterOS 7.8 Stable)
(1) Quick command line setup for Cloudflare:
# Temporarily add a normal upstream DNS resolver
1. /ip dns set servers=1.1.1.1,1.0.0.1
# CA certificates extracted from DigiCert
2. /tool fetch https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
# Import CA to ca-store
3. /certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=""
# Set the DoH resolver to cloudflare
4. /ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes allow-remote-requests=yes
# Remove the old upstream DNS resolvers
5. /ip dns set servers=""
Reminder: Uncheck "user-peer-dns" from dhcp-client (WAN) or pppoe-out1 (WAN)
#########################################################################
(2) Redirect DNS queries to router:
/ip firewall nat add chain=dstnat protocol=tcp dst-port=53 action=redirect to-ports=53
/ip firewall nat add chain=dstnat protocol=udp dst-port=53 action=redirect to-ports=53
#########################################################################
(3) Script for updating certificates
System > Scripts
Name: Update-Cert
Policy: ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
Source:
/tool fetch https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
:delay 10s
/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=""
#########################################################################
(4) Scheduler for run "Update-Cert" in every 1 week
Name: Update-Cert
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
Start Time: 00:00:00
Interval: 7d 00:00:00
On Event: /system script run Update-Cert
#########################################################################