//------------------------------------------------------------------- //-------------------------------------------------------------------
Mikrotik DNS over HTTPS setup

How to Set Up DNS over HTTPS on MikroTik RouterOS v7

Securing your network’s DNS traffic is an essential step in modern infrastructure hardening, which prevents ISPs and attackers from spying on your browsing activity. By using a Mikrotik DNS over HTTPS setup on RouterOS v7, your router becomes a privacy-friendly DNS resolver that sends DNS requests through an encrypted HTTPS connection.

In this guide from PerLod Hosting, you will learn to configure, verify, and enforce DoH across your entire network without requiring external packages.

Prerequisites for Implementing MikroTik DNS over HTTPs Setup

Before you start implementing MikroTik DNS over HTTPs setup, make sure the following requirements are in place:

  • RouterOS v7.x installed on any hardware or a MikroTik VPS.
  • Active internet connectivity on the WAN interface.
  • Admin access via Winbox Terminal or SSH.
  • A DoH provider such as Cloudflare or Google (recommended).

How Does DoH Work on RouterOS?

Regular DNS queries are sent in plaintext over port 53, which means anyone on the network path can see them. DoH wraps each DNS request inside an encrypted HTTPS connection on port 443.

On RouterOS v7, the flow works like this:

  • A LAN client sends a DNS request to the router on port 53.
  • RouterOS forwards it to the DoH provider over an encrypted HTTPS tunnel.
  • The response comes back encrypted, is verified, and cached.
  • RouterOS returns the resolved answer to the client.

Now, for implementing MikroTik DNS over HTTPs setup, follow the steps below.

Step 1. Set a Fallback DNS Server on RouterOS

RouterOS needs a normal (non-DoH) DNS server set first, so it can resolve the DoH server’s domain name. If you skip this step, the router can’t reach the DoH URL, and DNS will stop working. To do this, you can run:

/ip dns set servers=1.1.1.1

Note: Once DoH is running, all your regular DNS requests use the encrypted DoH connection. The standard DNS server you set is only used to find the DoH server itself.

Step 2. Import the Root CA Certificate on RouterOS

RouterOS v7 doesn’t come with root certificates installed. You must manually download and import the specific certificate your DoH provider uses. MikroTik recommends getting these certificates directly from the provider’s official website, not from unknown sources.

Cloudflare DoH

Cloudflare uses a DigiCert certificate for its DoH service (https://cloudflare-dns.com/dns-query). You can download it with:

/tool fetch url="https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem"
/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=""

Google DoH

Google uses its own certificate for its DoH service (https://dns.google/dns-query). Download it directly from Google:

/tool fetch url="https://pki.goog/roots.pem"
/certificate import file-name=roots.pem passphrase=""

Verification

Once you are done, you must verify the import is successful with the command below:

/certificate print

You should see the certificate listed in the output. If it’s missing, RouterOS will fail to verify the DoH connection, and DNS queries will not resolve.

Step 3. Configure the DoH Server on RouterOS

Now that the certificate is imported, you can configure RouterOS to use your DoH provider as the DNS resolver. To do this, you can run:

/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
  • use-doh-server: HTTPS URL of the DoH endpoint, defines which DoH provider to use.
  • verify-doh-cert=yes: Validates the provider’s TLS certificate against your imported CAs.

RouterOS v7 only supports one active DoH server. Once enabled, all DNS queries are forced through this server, ignoring any other DNS settings.

If you are using Google DoH, enter the “https://dns.google/dns-query” instead of Cloudflare.

Step 4. Enable Router as a LAN DNS Resolver

At this point, you need to make the router handle DNS requests from your LAN clients. In RouterOS v7, this is done by enabling allow-remote-requests, which allows the router to accept DNS queries from other devices on your network and answer them using your configured resolver.

/ip dns set allow-remote-requests=yes

Without this setting, RouterOS only answers DNS requests from itself and ignores your devices. This allows other devices to send DNS queries to the router.

Note: This setting opens port 53 for UDP and TCP requests from other devices. Be careful not to expose port 53 to the outside world; keep it limited to your local network using firewall rules.

To confirm your full DNS configuration, you can run:

/ip dns print

Example output:

                  servers: 1.1.1.1
          dynamic-servers:
       use-doh-server: https://cloudflare-dns.com/dns-query
         verify-doh-cert: yes
doh-max-server-connections: 5
doh-max-concurrent-queries: 50
              doh-timeout: 5s
     allow-remote-requests: yes
          cache-size: 2048KiB
         cache-max-ttl: 1d

Step 5. Point DHCP Clients to the Router

Your DHCP server must advertise the router’s LAN IP as the DNS server so clients automatically use it. To do this, you can use:

/ip dhcp-server network set [find] dns-server=192.168.88.1

Replace 192.168.88.1 with your router’s IP address. This makes sure every device on your network sends its DNS requests to the router and uses your secure DoH connection.

Step 6. Force All DNS Traffic Through the Router

Some devices ignore your DNS settings and use their own built-in servers like 8.8.8.8. These rules force all DNS traffic through the router, no matter what DNS server the device tries to use:

/ip firewall nat add chain=dstnat protocol=udp dst-port=53 action=redirect to-ports=53 comment="Force DNS UDP to router"
/ip firewall nat add chain=dstnat protocol=tcp dst-port=53 action=redirect to-ports=53 comment="Force DNS TCP to router"

These rules must be placed before your masquerade rules. You can check the order using this command:

/ip firewall nat print

Step 7. Block Direct DoH Bypass on RouterOS (Optional)

Devices can still ignore your router’s DNS settings by sending their own encrypted DoH queries. You can block access to these providers by adding their IP addresses to a list:

/ip firewall address-list
add address=8.8.8.8 list=known-doh-providers
add address=8.8.4.4 list=known-doh-providers
add address=1.1.1.1 list=known-doh-providers
add address=1.0.0.1 list=known-doh-providers
/ip firewall filter add chain=forward protocol=tcp dst-port=443 dst-address-list=known-doh-providers action=drop comment="Block external DoH bypass"

This is best for secure environments where you need all DNS traffic to go only through the router.

Note: Opening ports and creating forward rules can expose your router if not done correctly. To ensure your router is fully secure, we highly recommend reading this guide on MikroTik Firewall Best Practices.

Step 8. Verify MikroTik DNS Setup

Finally, you should verify that your router is successfully sending and receiving DNS queries using DoH.

Check DNS cache activity with:

/ip dns cache print

If you see entries in the cache, DoH is working and resolving your DNS requests. If the cache is empty after you’ve used the internet, DoH is broken.

Flush cache and test resolution with:

/ip dns cache flush
/ping google.com count=3

A successful ping with a resolved IP address confirms the full DNS path is working.

Also, from any LAN client browser, you can visit:

https://1.1.1.1/help

If it reports “Using DNS over HTTPS: Yes“, your entire setup is working correctly.

DoH Provider Compatibility with RouterOS v7

Not every DoH provider works with RouterOS v7. RouterOS currently only supports HTTP/1.1 for DoH, so any provider that requires HTTP/2 will fail to resolve.

Compatible DoH providers with RouterOS v7 include:

  • Cloudflare
  • Google
  • NextDNS
  • OpenDNS

Incompatible DoH providers with RouterOS v7 include:

  • Quad9
  • Mullvad
  • Yandex
  • UncensoredDNS

FAQs

Does enabling DoH slow down the DNS resolution?

The first query has a slight delay while connecting, but after that, responses are cached and fast.

Does DoH work on older RouterOS versions?

No. DoH support was introduced in RouterOS v7. It is not available on RouterOS v6, so upgrading is required.

Can I use a custom or self-hosted DoH server on RouterOS?

Yes, as long as it supports HTTP/1.1 on port 443. Just enter its URL and import its certificate.

Conclusion

MikroTik DNS over HTTPs setup on RouterOS v7 is a straightforward process that improves your network’s privacy. With DoH enabled, your DNS queries are fully encrypted, and no one on the network path can see what domains you visit. The NAT redirect rules and bypass blocking ensure every device on your network is covered, which gives you full control over DNS traffic.

We hope you enjoy this guide. Subscribe to our X and Facebook channels to get the latest updates and articles.

For further reading:

How to Configure MikroTik IPIP and GRE Tunnels

Post Your Comment

Perlod Logo White

PerLod delivers high-performance hosting with real-time support and unmatched reliability.

Facebook-f Twitter

Navigation

Useful Links

Contact us

  • Dubai, UAE
  • info[at]perlod.com

Payment methods

payment gateway
Perlod Logo
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.