Introduction

DOH stands for “DNS over HTTPS,” which is a protocol that encrypts and secures Domain Name System (DNS) requests and responses using the HTTPS protocol. It helps improve privacy and security when resolving domain names to IP addresses on the internet. DOH combines these two concepts by encapsulating DNS queries and responses within HTTPS requests and responses. When a device uses DOH, it sends DNS queries to a DNS resolver using the HTTPS protocol. The DNS resolver then resolves the domain name and returns the corresponding IP address in an encrypted HTTPS response.

Benefits of DOH DNS include:

Enhanced privacy: Traditional DNS queries are typically sent in clear text, which means that anyone with access to the network can potentially intercept and monitor them. DOH encrypts DNS queries, making it much harder for third parties to eavesdrop on your internet activity.
Bypassing DNS-based filtering and censorship: In some regions, DNS-based filtering or censorship is used to block access to certain websites. DOH can help bypass these restrictions, as the DNS queries are encrypted and can’t be easily inspected to determine the requested site.
Improved security: DOH helps protect against DNS hijacking attacks, where malicious actors redirect legitimate DNS queries to malicious servers, leading users to fake websites.

Enable DOH on Mikrotik router.

Pre-requirement.

In order to able enabling the DOH, your Mikrotik’s firmware must be running 6.47 or higher.
It require to import the root CA certificate of the DoH server you have chosen to use for increased security.

To check the current Mikrotik firmware version.

system package pr

Flags: X - disabled
 #   NAME               VERSION           SCHEDULED
 0   routeros-x86       6.49.8
 1   system             6.49.8

Download and import the CA certificate.

Download CA certificates:

/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem

Alternatively, you can download an extracted CA certificates from Mozilla here:

/tool fetch url=https://curl.haxx.se/ca/cacert.pem

Import Certificate:

/certificate import file-name=DigiCertGlobalRootCA.crt.pem

Check Certificate /certificate print

Add static DNS entry:

Cloudflare DNS

ip dns static add name=cloudflare-dns.com address=1.1.1.1 
ip dns static add name=cloudflare-dns.com address=104.16.248.249
ip dns static add name=cloudflare-dns.com address=104.16.249.249

If need want to add google dns:

ip dns static add name=dns.google.com address=8.8.8.8
ip dns static add name=dns.google.com address=8.8.4.4

Enable DOH server.

/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns cache flush

Conclusion

Overall, DOH DNS is an important advancement in internet security and privacy, as it adds an extra layer of protection to one of the fundamental components of internet communication, and it’s powerful to bypass any restrictions or censorship.

However, without censorship, some inappropriate websites will be accessible to any devices used by your family members. Therefore, it is advised to choose DoH server which provides more blocking designed for family to protect your family from accessing inappropriate websites. Otherwise, you can consider building your own full-control DNS server like Pi-hole, or ADGuard which can be running on low-spec Arm-based box.

Introduction#

Benefits of DOH DNS include:#

Enable DOH on Mikrotik router.#

Pre-requirement.#

Download and import the CA certificate.#

Add static DNS entry:#

Cloudflare DNS#

If need want to add google dns:#

Enable DOH server.#

Conclusion#