diff --git a/doh-scripts/README.md b/doh-scripts/README.md
index 502a596..6e78dce 100644
--- a/doh-scripts/README.md
+++ b/doh-scripts/README.md
@@ -1,8 +1,25 @@
+TODO:
+
+- DoH script for nextdns
+- DoH script for quad9
+
+# important thread... https://forum.mikrotik.com/viewtopic.php?f=2&t=160243#p799274
+
+Remember that DoH depends on correct time. So, make sure NTP client is configured. The MikroTik Cloud NTP client service required DNS that in turn requires a working NTP client. So, don't depend on MikroTik Cloud NTP client service.
+
+NextDNS recommends https://curl.se/ca/cacert.pem too.
+
 Root CA certificates that we can use...
 
+- https://www.digicert.com/kb/digicert-root-certificates.htm (Download DigiCert Global Root CA)
+    - https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
+    - works **only** for 1.1.1.1 DoH
+
+# the following don't work for unknown reason...
+
 - https://pki.goog/repository/
-- https://www.digicert.com/kb/digicert-root-certificates.htm
 - https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates
+- https://www.amazontrust.com/repository/
 
 Or download most (if not all) root CA certificates from https://curl.se/ca/cacert.pem
 
diff --git a/doh-scripts/cloudflare.rsc b/doh-scripts/cloudflare.rsc
index 4e00783..a6d85d8 100644
--- a/doh-scripts/cloudflare.rsc
+++ b/doh-scripts/cloudflare.rsc
@@ -1,11 +1,19 @@
 # Verify the connection at https://1.1.1.1/help
 
-/tool fetch url=https://curl.se/ca/cacert.pem
-/certificate remove [find name~"cacert.pem"]
-/certificate import file-name=cacert.pem passphrase=""
+# disable doh (temporarily)
+
+/ip dns set verify-doh-cert=no
+
+/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
+/certificate remove [find]
+/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=""
+/file remove DigiCertGlobalRootCA.crt.pem
 
 /ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes 
 
 # optional steps
 /ip dns set servers=""
 /ip dhcp-client set use-peer-dns=no [find]
+
+# flush existing cache
+/ip dns cache flush