Add alternative Cloudflare DoH script

doh-scripts/README.md

@@ -3,10 +3,15 @@ The following DoH services can be automated for now...
 - [Cloudflare](https://github.com/pothi/mikrotik-scripts/blob/main/doh-scripts/cloudflare.rsc)
 - [Google](https://github.com/pothi/mikrotik-scripts/blob/main/doh-scripts/google.rsc)
 - [NextDNS](https://github.com/pothi/mikrotik-scripts/blob/main/doh-scripts/nextdns.rsc)
+
+Incompatible / buggy implementation...
+
 - [Quad9](https://github.com/pothi/mikrotik-scripts/blob/main/doh-scripts/quad9.rsc)
 
 Or you may use the [generic script](https://github.com/pothi/mikrotik-scripts/blob/main/doh-scripts/generic.rsc).
 
+Officially incompatible DoH servers... https://help.mikrotik.com/docs/spaces/ROS/pages/37748767/DNS#DNS-Knowncompatible/incompatibleDoHservices
+
 Relevant thread in MikroTik forums... https://forum.mikrotik.com/viewtopic.php?f=2&t=160243#p799274
 
 Remember that DoH depends on the correct time on your MikroTik device. So, make sure that the NTP client is configured and is working. The MikroTik's Cloud NTP client service requires a working DNS that in turn requires a working NTP client. So, please don't depend on MikroTik's Cloud NTP sync service.

doh-scripts/cloudflare-one.one.one.one.rsc

@@ -0,0 +1,36 @@
+# Verify the connection at https://1.1.1.1/help
+
+# disable doh (temporarily)
+
+/ip dns set verify-doh-cert=no
+
+# update the caCertURL depending on what's used at https://1.1.1.1/dns-query
+
+:local caCertURL https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem
+
+:local result [ /tool fetch url=$caCertURL dst-path=cert.pem as-value ];
+:do { :delay 2s } while=( $result->"status" != "finished" )
+
+/certificate remove [find name~"cert.pem"]
+/certificate import file-name=cert.pem passphrase=""
+# no longer needed for RouterOS v7
+# /file remove cert.pem
+
+# Add static DNS entries for the DoH server
+/ip dns static remove [find name=one.one.one.one]
+# use the following two entries only if IPv6 is available on your internet
+# /ip dns static add address=2606:4700:4700::1111 name=one.one.one.one
+# /ip dns static add address=2606:4700:4700::1001 name=one.one.one.one
+/ip dns static add address=1.1.1.1 name=one.one.one.one
+/ip dns static add address=1.0.0.1 name=one.one.one.one
+
+/ip dns set use-doh-server=https://one.one.one.one/dns-query verify-doh-cert=yes
+
+# optional steps
+# use the following only if IPv6 is available on your internet
+# /ip dns set servers="2606:4700:4700::1111,2606:4700:4700::1001,1.1.1.1,1.0.0.1"
+/ip dns set servers="1.1.1.1,1.0.0.1"
+/ip dhcp-client set use-peer-dns=no [find]
+
+# flush existing cache
+/ip dns cache flush

scripts/init.rsc

@@ -33,7 +33,7 @@
 
 /system script
 
-:local commonScripts {"backup-buttons"; "backup-cron"; "backup-scripts"; "cloud-backup"; "firmware-check"}
+:local commonScripts {"cloud-backup"; "firmware-check"}
 :local initScripts ("wifi-enable", $commonScripts)
 
 :foreach scriptName in $initScripts do={
@@ -41,4 +41,16 @@
   :delay 30s
 }
 
+:local currentHour [:tonum [:pick [/system clock get time] 0 2]]
+
+:if ($currentHour < 12) do={
+    :local backupScripts {"backup-cron"; "backup-scripts"}
+    :foreach scriptName in $backupScripts do={
+      :do { run $scriptName } on-error={:log error "Error running $scriptName"}
+      :delay 30s
+    }
+} else={
+    :log info "Automated backups aren't taken after 12 noon."
+}
+
 :log info "Init script ended."