On WebFig go to IP -> DNS.
Fill in Servers with your selected TCP/UDP servers and Use DoH Server with your selected DoH server.
Or use the terminal to achieve the same config.
The following NAT rules will redirect all UDP / TCP requests with port 53 to the router as destination
You can do this via IP -> Firewall -> Nat on WebFig, or via terminal (SSH/web) with:
/ip firewall nat
add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=tcp to-ports=53
Using terminal since it's faster, but you can create the same via WebFig.
/ip firewall filter
add action=drop chain=forward comment="drop DoH" dst-address-list="DoH Servers"
Use
/ip firewall address-list add address=IP/HOST list="DoH Servers"
E.g.:
/ip firewall address-list add address=dns.google list="DoH Servers"
See the commands for adding a full list at mirotik_doh_list_commands.txt based on data from https://github.com/dibdot/DoH-IP-blocklists (see bellow for acknowlegements and license details).
All scripts sit under the ./scripts/ folder.
Gets current master of iplist.txt from https://github.com/dibdot/DoH-IP-blocklists.
Processes current iplist into mikrotik commands to add addresses to the list.
Generates a mikrotik_all_commands.txt with the commands explained before.
usage: ./generate_for_router.sh router_internal_ip
- Tested on WSL2 running Debian and Debian 11.
- Commands tested for RouterOS v7.6 running on Mikrotik hAP ac2.
- Please review all commands and use at your own risk.
- See BSD 3 CLAUSE LICENSE for details.
You can find nice public servers at Public DNS at European Alternatives.
- Mikrotik for making awesome network hardware.
- https://european-alternatives.eu for collecting nice alternatives under one site.
- https://github.com/dibdot/DoH-IP-blocklists for making the output of their program available.