Encrypt your DNS requests with MikroTik
Sources and extra reading:
– https://help.nextdns.io/t/x2hmvas/what-is-dns-over-tls-dot-dns-over-quic-doq-and-dns-over-https-doh-doh3
– https://www.cloudflare.com/en-gb/learning/dns/dns-over-tls/
Quick command line setup for NextDNS:
/tool fetch url=https://curl.se/ca/cacert.pem
/certificate import file-name=cacert.pem
/ip dns set servers=
/ip dns static add name=dns.nextdns.io address=45.90.28.0 type=A
/ip dns static add name=dns.nextdns.io address=45.90.30.0 type=A
/ip dns static add name=dns.nextdns.io address=2a07:a8c0:: type=AAAA
/ip dns static add name=dns.nextdns.io address=2a07:a8c1:: type=AAAA
/ip dns set use-doh-server=“https://dns.nextdns.io/fe4232” verify-doh-cert=yes
Redirect DNS queries to router:
/ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=53
/ip firewall nat add chain=dstnat action=redirect protocol=udp dst-port=53
Documentation link:
https://help.mikrotik.com/docs/display/ROS/DNS
by MikroTik
linux dns server
Mikrotik very unstable when using dns services like controld, nextdns and adguard dns cloud even use latest version 7
This settings will handle the external DNS communication behind the Mikrotik NAT firewall and what about local DNS server on Microsoft active directory, should be also changed, or it is not necessary to encrypt LAN DNS requests ? In my opinion it is not necessary in LAN network, because there many notebooks and portable devices, that users carry to home and office. This tutorial hides DNS requests behind Mikrotik router from LAN to internet only if I understand correctly…
Have 2 days running and got 100k+ nextdns queries but on Analytics->Encrypted DNS(lower right) says zero percent. What DNS IP should be set on DHCP Server LAN side?
Routeros is far better than openwrt and pfsense.
Pardon for my stupid question, but why using dstnat chain in the firewall rules? The docs say that "this type of NAT is performed on packets that are destined for the natted network". So to me it looks like the firewall will process packets coming from WAN interface to the local network. Why not srcnat?
1. How long is available the certificate from nextfdns? Shall we put the new cert when it expire?
2. How to redirect ipv6 dns request as there is no nat menu on ipv6>firewall on version 6
its joke video i think. DoH with Cert verify still have memory leak.
I used the NextDNS too,It’s groovy👍
Gives me error: DoH server connection error: Idle timeout – connecting
I can't resolve
Enabling DOH and redirect in NAT is a shot in the foot. As a result, Mikrotik will write "DoH max concurrent queries reached, ignoring query", and clients will have problems in a variety of programs.
Excellent!!!!
and easy 😉
And please improve the stability of ROS DOH
Hi Mikrotik team🤗, I really missed a video like this, I was really looking forward to a detailed video, 🤩thanks for this video🤩.
I have a question.
Are there plans to add DoQ (DNS over QUIC)? If so, how soon will it appear (approximately how soon)?
Thanks for your attention😊🙂
Hi. "to be extra safe you can just drop port 53 in the firewall output chain". Ok, it must be "Src.Port" or "Dst.Port" ?
Awesome video I was looking for a alternative doh to cloudflare and now testing nextdns thanks again and keep it up. Hope you guys cover layer 3 hardware offloading on your switches at some point would be good to have a quick video on how it should be setup.
Can the certificate be downloaded without a computer I only use the phone
can we either have proper support for glue records or have FWD entries work in conjunction with DoH?
because glue record doesn't work, i'm forced to use FWD, and because DoH doesn't work with FWD, i cant enable it.
NextDNS can be used for free up to 300,000 queries each month, after which all features will be disabled temporarily until next month.
And how to redirect all DNS queries to for example Pi-Hole – external DNS, not MT device.
Hello there. I watch your chennel since 2021. I am working as a system administrator now using MikroTik's router. This one has a lot of posibilities to improve the network. What about this video- I used nextdns but i would say this dns server isn't such secure for me. Many packets are transfered to nextdns and they are controlled by this server. Nobody guarantees that your personal information will be leaked. This is my IMHO. What can say the author of the video about this situation? Thanks for reply.