diff --git a/doh-scripts/cloudflare.rsc b/doh-scripts/cloudflare.rsc
index 8d1f479..15da8a2 100644
--- a/doh-scripts/cloudflare.rsc
+++ b/doh-scripts/cloudflare.rsc
@@ -4,15 +4,22 @@
 
 /ip dns set verify-doh-cert=no
 
-/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
-/certificate remove [find name~"DigiCertGlobalRootCA.crt.pem"]
-/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=""
-/file remove DigiCertGlobalRootCA.crt.pem
+# update the caCertURL depending on what's used at https://1.1.1.1/dns-query
 
-/ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes 
+:local caCertURL
+:set caCertURL https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem
+
+:local result [ /tool fetch url=$caCertURL dst-path=root-ca-cert.pem as-value ];
+:do { :delay 2s } while=( $result->"status" != "finished" )
+
+/certificate remove [find name~"root-ca-cert.pem"]
+/certificate import file-name=root-ca-cert.pem passphrase=""
+/file remove root-ca-cert.pem
+
+/ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
 
 # optional steps
-/ip dns set servers=""
+/ip dns set servers="1.1.1.1,1.0.0.1"
 /ip dhcp-client set use-peer-dns=no [find]
 
 # flush existing cache