Update DoH scripts

2025-06-26 07:58:37 +02:00 · 2023-06-29 08:31:49 +05:30 · 2023-06-29 08:31:49 +05:30 · 7ab9c9d776
commit 7ab9c9d776
parent 75bec31c42
2 changed files with 29 additions and 4 deletions
--- a/doh-scripts/README.md
+++ b/doh-scripts/README.md
@ -1,8 +1,25 @@
+TODO:
+
+- DoH script for nextdns
+- DoH script for quad9
+
+# important thread... https://forum.mikrotik.com/viewtopic.php?f=2&t=160243#p799274
+
+Remember that DoH depends on correct time. So, make sure NTP client is configured. The MikroTik Cloud NTP client service required DNS that in turn requires a working NTP client. So, don't depend on MikroTik Cloud NTP client service.
+
+NextDNS recommends https://curl.se/ca/cacert.pem too.
+
 Root CA certificates that we can use...

+- https://www.digicert.com/kb/digicert-root-certificates.htm (Download DigiCert Global Root CA)
+    - https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
+    - works **only** for 1.1.1.1 DoH
+
+# the following don't work for unknown reason...
+
 - https://pki.goog/repository/
- https://www.digicert.com/kb/digicert-root-certificates.htm
 - https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates
+- https://www.amazontrust.com/repository/

 Or download most (if not all) root CA certificates from https://curl.se/ca/cacert.pem

--- a/doh-scripts/cloudflare.rsc
+++ b/doh-scripts/cloudflare.rsc
@ -1,11 +1,19 @@
 # Verify the connection at https://1.1.1.1/help

-/tool fetch url=https://curl.se/ca/cacert.pem
-/certificate remove [find name~"cacert.pem"]
-/certificate import file-name=cacert.pem passphrase=""
+# disable doh (temporarily)
+
+/ip dns set verify-doh-cert=no
+
+/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
+/certificate remove [find]
+/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=""
+/file remove DigiCertGlobalRootCA.crt.pem

 /ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes 

 # optional steps
 /ip dns set servers=""
 /ip dhcp-client set use-peer-dns=no [find]
+
+# flush existing cache
+/ip dns cache flush