mirror.MikroTik/pothi.mikrotik-scripts
1
0
Fork 0
mirror of https://github.com/pothi/mikrotik-scripts.git synced 2025-06-27 00:18:59 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add a new script to add Cloudflare DoH

Browse source
This commit is contained in:
Pothi Kalimuthu 2025-06-04 07:10:32 +05:30
parent 60e720b7a5
commit c6cd620be5
No known key found for this signature in database
GPG key ID: 57069303D36E3093
2 changed files with 43 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
doh-scripts/README.md
View file

@ -8,6 +8,8 @@ Incompatible / buggy implementation...
- [Quad9](https://github.com/pothi/mikrotik-scripts/blob/main/doh-scripts/quad9.rsc)
Since Router OS v7.19... built-in CA certificates can be used with `/certificate/settings/set builtin-trust-anchors=trusted`
Or you may use the [generic script](https://github.com/pothi/mikrotik-scripts/blob/main/doh-scripts/generic.rsc).
Officially incompatible DoH servers... https://help.mikrotik.com/docs/spaces/ROS/pages/37748767/DNS#DNS-Knowncompatible/incompatibleDoHservices

41
doh-scripts/cloudflare-dns.rsc Normal file
View file

@ -0,0 +1,41 @@
# Verify the connection at https://1.1.1.1/help
# cloudflare-dns.com is the default DNS server (at least as of May 2025), in place of (still working) 1.1.1.1 and one.one.one.one.
# disable doh (temporarily)
/ip dns set verify-doh-cert=no
# update the caCertURL depending on what's used at https://1.1.1.1/dns-query
:local caCertURL https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem
:local result [ /tool fetch url=$caCertURL dst-path=cert.pem as-value ];
:do { :delay 2s } while=( $result->"status" != "finished" )
/certificate remove [find name~"cert.pem"]
/certificate import file-name=cert.pem passphrase=""
# no longer needed for RouterOS v7
# /file remove cert.pem
# since RouterOS v7.19...
# /certificate/settings/set builtin-trust-anchors=trusted
# Add static DNS entries for the DoH server
/ip dns static remove [find name=cloudflare-dns.com]
# use the following two entries if IPv6 is available on your internet
# /ip dns static add address=2606:4700::6810:f8f9 name=cloudflare-dns.com comment="DoH"
# /ip dns static add address=2606:4700::6810:f9f9 name=cloudflare-dns.com comment="DoH"
/ip dns static add address=104.16.248.249 name=cloudflare-dns.com comment="DoH"
/ip dns static add address=104.16.249.249 name=cloudflare-dns.com comment="DoH"
/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
# optional steps
# use the following if IPv6 is available on your internet
# /ip dns set servers="2606:4700:4700::1111,2606:4700:4700::1001,1.1.1.1,1.0.0.1"
/ip dns set servers="1.1.1.1,1.0.0.1"
/ip dhcp-client set use-peer-dns=no [find]
# flush existing cache
/ip dns cache flush