diff --git a/doh-scripts/README.md b/doh-scripts/README.md
index 9e01d4a..78a9d16 100644
--- a/doh-scripts/README.md
+++ b/doh-scripts/README.md
@@ -8,6 +8,8 @@ Incompatible / buggy implementation...
 
 - [Quad9](https://github.com/pothi/mikrotik-scripts/blob/main/doh-scripts/quad9.rsc)
 
+Since Router OS v7.19... built-in CA certificates can be used with `/certificate/settings/set builtin-trust-anchors=trusted`
+
 Or you may use the [generic script](https://github.com/pothi/mikrotik-scripts/blob/main/doh-scripts/generic.rsc).
 
 Officially incompatible DoH servers... https://help.mikrotik.com/docs/spaces/ROS/pages/37748767/DNS#DNS-Knowncompatible/incompatibleDoHservices
diff --git a/doh-scripts/cloudflare-dns.rsc b/doh-scripts/cloudflare-dns.rsc
new file mode 100644
index 0000000..cc641ac
--- /dev/null
+++ b/doh-scripts/cloudflare-dns.rsc
@@ -0,0 +1,41 @@
+# Verify the connection at https://1.1.1.1/help
+
+# cloudflare-dns.com is the default DNS server (at least as of May 2025), in place of (still working) 1.1.1.1 and one.one.one.one.
+
+# disable doh (temporarily)
+
+/ip dns set verify-doh-cert=no
+
+# update the caCertURL depending on what's used at https://1.1.1.1/dns-query
+
+:local caCertURL https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem
+
+:local result [ /tool fetch url=$caCertURL dst-path=cert.pem as-value ];
+:do { :delay 2s } while=( $result->"status" != "finished" )
+
+/certificate remove [find name~"cert.pem"]
+/certificate import file-name=cert.pem passphrase=""
+# no longer needed for RouterOS v7
+# /file remove cert.pem
+
+# since RouterOS v7.19...
+# /certificate/settings/set builtin-trust-anchors=trusted
+
+# Add static DNS entries for the DoH server
+/ip dns static remove [find name=cloudflare-dns.com]
+# use the following two entries if IPv6 is available on your internet
+# /ip dns static add address=2606:4700::6810:f8f9 name=cloudflare-dns.com comment="DoH"
+# /ip dns static add address=2606:4700::6810:f9f9 name=cloudflare-dns.com comment="DoH"
+/ip dns static add address=104.16.248.249 name=cloudflare-dns.com comment="DoH"
+/ip dns static add address=104.16.249.249 name=cloudflare-dns.com comment="DoH"
+
+/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
+
+# optional steps
+# use the following if IPv6 is available on your internet
+# /ip dns set servers="2606:4700:4700::1111,2606:4700:4700::1001,1.1.1.1,1.0.0.1"
+/ip dns set servers="1.1.1.1,1.0.0.1"
+/ip dhcp-client set use-peer-dns=no [find]
+
+# flush existing cache
+/ip dns cache flush