MikroTik RouterOS (Encrypted)
This article describes how to configure your MikroTik router using RouterOS to send encrypted DNS queries to Quad9 using DNS over HTTPS.
RouterOS >=6.4.7 is required. These instructions were tested using RouterOS 7.1.3.
Before making changes to a production environment, we recommend backing up the existing configuration
Connect to your MikroTik router's management interface via SSH or console. The username and password will be the same as if using Webfig (GUI).
In order for MikroTik to perform certificate verification of the Quad9 DNS over HTTPS domain, we need to download and import the DigiCert Global Root CA certificate.
- Download the certificate to your MikroTik router:
/tool/fetch mode=https url="https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem"
- Import the certificate into the local certificate store. When prompted for a passphrase, just hit enter for no passphrase:
The resulting output should be:
passphrase: certificates-imported: 1 private-keys-imported: 0 files-imported: 1 decryption-failures: 0 keys-with-no-certificate: 0
- Log into Webfig (GUI), and navigate to
DNSon the left-side menu.
- In the Servers field, set:
If your network does not support IPv6, then the IPv6 addresses should not be added, as it may result in a percentage of your DNS requests failing. Not sure if you have IPv6? Test here.
- Use DoH Server:
- Verify DoH Certificate:
- Allow Remote Requests:
Don't forget to configure the firewall rules to prevent non-local IP address from using this as a DNS server.
- Click Apply at the top.
To confirm that the MikroTik router is sending DNS queries to Quad9 using DNS over HTTPS, you can use the packet sniffer tool to filter for packets being sent to/from Quad9 IP addresses using port 443 (HTTPS):
tool/sniffer/quick port=443 ip-address=184.108.40.206,220.127.116.11
If DNS queries sent to the MikroTik router are being forwarded to Quad9 using DNS over HTTPS, you will see any output.
Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, SIZE, CPU INTERFACE TIME NUM DIR SRC-MAC DST-MAC SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU ether1 6.886 5 <- 04:F0:21:45:C9:0C 08:00:27:7D:3B:33 18.104.22.168:443 (https) 192.168.1.222:59348 ip:tcp 66 0 ether1 6.887 6 <- 04:F0:21:45:C9:0C 08:00:27:7D:3B:33 22.214.171.124:443 (https) 192.168.1.222:59348 ip:tcp 1514 0 ether1 6.887 7 -> 08:00:27:7D:3B:33 04:F0:21:45:C9:0C 192.168.1.222:59348 126.96.36.199:443 (https) ip:tcp 66 0 ether1 6.887 8 <- 04:F0:21:45:C9:0C 08:00:27:7D:3B:33 188.8.131.52:443 (https) 192.168.1.222:59348 ip:tcp 1514 0 ether1 6.887 9 -> 08:00:27:7D:3B:33 04:F0:21:45:C9:0C 192.168.1.222:59348 184.108.40.206:443 (https) ip:tcp 66 0
If you do not yet have endpoints using the MikroTik router for DNS, you can manually query the MikroTik router to facilitate testing and checking for the output generated above from Terminal (Linux/macOS) or Command Prompt (Windows), replacing 192.168.1.1 with the LAN IP address of your MikroTik router.
nslookup quad9.net 192.168.1.1