MikroTik Tutorial: How to enable DNS over HTTPS (DoH)

MikroTik Tutorial: How to enable DNS over HTTPS (DoH)

The latest stable version of RouterOS 6.47 adds support for DNS over HTTPS or DoH. DoH is a protocol for performing remote DNS over HTTPS protocol. It is similar to DoT (DNS over TLS) but not exactly the same.

In this MikroTik Tutorial I will show you how to configure DNS over HTTPS on your MikroTik router using either Cloudflare DNS servers or Google DNS servers.

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks[1] by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver.

Wikipedia DoH page

UPDATE: RouterOS v6.47 was released to the stable channel on June 2nd 2020 with DNS over HTTPS support. I used a RB4011 router running RouterOS v6.47beta60 during testing. You will see 6.47beta60 referenced in the screenshot below but I recommend using the stable channel.

Steps to Configure DNS over HTTPS on a MikroTik Router

Time needed: 2 minutes.

  1. Upgrade to RouterOS v6.47 available in the stable channel.

    System | Packages | Check for Updates

  2. Download and Import root certificates

    /tool fetch url=https://curl.haxx.se/ca/cacert.pem
    /certificate import file-name=cacert.pem passphrase=””
    Root CA certificates

  3. Remove DNS Servers

    In winbox open IP | DNS, remove existing Servers

  4. Add a static DNS entry for the DoH hostname.

    IP | DNS | Static | +
    Add 2 Static DNS Entries for cloudflare-dns.com to Address: 104.16.248.249 and 104.16.249.249.
    If you plan on using Google add dns.google pointing to 8.8.8.8 and 8.8.4.4.

  5. Add providers url to “Use DoH Server” and check the box “Verify DoH Certificate”

    For cloudflare I added https://cloudflare-dns.com/dns-query

Verify that DoH is enabled and working

Cloudflare has provided a simple web status page at https://1.1.1.1/help to verify that you have configured DNS over HTTPS properly.

Configure Cloudflare DNS over HTTPS resolver

The resolver url for Cloudflare is https://cloudflare-dns.com/dns-query as show in the screenshot above.

Configure Google’s DNS over HTTPS resolver

The resolver url for Google is https://dns.google/dns-query as show in the screenshot below.

Error Messages & Troubleshooting

dns, error DoH server connection error: SSL: handshake failed: unable to get local issuer certificate (6)

This error is a result of not having root certificates installed to validate the https certificate of the DNS server url.

dns, error DoH server connection error: resolving error

This error is a result of entering only an IP address in the Use DoH Server field. It should be entered as a https:// url.

Enable DNS debug logging

Another way to see what is going on with dns queries on your MikroTik router is to enable DNS logging.

Verify DoH is working with Torch

To verify that DoH is configured and working run torch on your WAN interface and verify you see no udp or tcp connections to DNS port 53. In my configuration to cloudflare I can see multiple https connection to 1.1.1.1.

Now you have DNS over HTTPS configured on your MikroTik Router. I hope you have enjoyed this howto article, you can find many more MikroTik Tutorials here.

Did this work for you? Let me know in the comments section below.


26 Replies to “MikroTik Tutorial: How to enable DNS over HTTPS (DoH)”

      1. not work, nextdns always error connecting, it says “doh server connection error: resolving error” so i decide to set it DNS over tls, and work charm via vps

          1. yeah its work but, how about configuration inside nextdns link over https? i test it and mikrotik log always says “DoH server connection error, resolving error. “, about 1 minutes after apply dns. just test it with your config inside nextdns. and see what wrong with that

          2. You were able to get it to work with the FQDN? I had to use the resolved IP + my configuration url to get it to work with NextDNS.

    1. I found a solution to this: If you leave at least one regular DNS Server IP in the DNS configuration, rOS will use it to perform a regular lookup on the configured DoH FQDN, then switches everything after that to DoH. This also seems to fix the “DoH server connection error: resolving error” message in the logs.

      1. Thank you, this is also a viable option! In my testing, if DoH resolution fails it does not fallback to tradition DNS queries (Which is a good thing). It appears to only use the specified (traditional) name server to resolve the hostname in the DoH url.

  1. Thank you for great tutorial!
    I think that not all root certificates are needed. If you go to “https://1.1.1.1/” it is issued for “cloudflare-dns.com”
    – That is issued by “DigiCert ECC Secure Server CA”
    – And it is issued by “DigiCert”
    – Would it be possible to share tutorial to import just required certificate?

      1. Thank you for great starting point. I have done it this way:
        1. First get certs from the source
        openssl s_client -connect 1.1.1.1:443 -showcerts
        2. Copy BEGIN CERTIFICATE section, save it to TXT, rename to CRT and double click
        3. Do not import it on Windows. Go to Certification Path tab.
        Select topmost(root) certificate and click View Certificate – Details tab – Select Serial number. Copy and paste Serial number to Notepad. Add double dots to SN.
        4. Find SN on https://www.digicert.com/digicert-root-certificates.htm and copy link from “Download PEM”
        5. On router use this link for /tool fetch url= and Import it
        6. Repeat from 3 and download second(intermediate) certificate.

    1. I do not see a way that you can add a second provider but it may be possible to monitor and swap out providers with MikroTik Scripting.

      I have not tested DoH over IPv6 but I would also love to know the answer.

  2. Google DoH does not work via IP addr, it’s rejecting.
    Use FQDN in conjunction with DNS record instead.

  3. Hello, thank you for this tutorial. Everything is working nicely, but after rebooting router, DNS settings DOH is lost…my hw is hAP ac2.

  4. I would also add that “Allow Remote Requests” should be disabled for security reasons.
    – But in this case it must be enabled, otherwise only router itself will be able to use DoH.
    – Solution might be to firewall port 53(DNS) on input chain from WAN port.
    – Let me know if you know better solution.
    ip firewall filter add action=drop chain=input dst-port=53 protocol=udp
    ip firewall filter add action=drop chain=input dst-port=53 protocol=tcp

    1. Better is allow for input chain only what you need and reject (or drop) everything else:
      add action=accept chain=input comment=”Accept established, related” connection-state=established,related
      add action=accept chain=input comment=”Accept all from LAN” in-interface-list=LAN
      add action=accept chain=input comment=”Accept ICMP” protocol=icmp
      add action=reject chain=input comment=”Reject everything else” reject-with=icmp-admin-prohibited

  5. Simple DoH setup:
    /tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
    /certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=””
    /ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes

  6. Regarding DigiCert Global Root CA, you can also just export it from 1.1.1.1 website. Any website will have the certification path and all the certs in it anyway.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.