Mikrotik - Use DNS over HTTPS (DoH)

Mikrotik - Use DNS over HTTPS (DoH)

How to use DNS over HTTPS (DoH) on Mikrotik RouterOS.

Arman Dwi Pangestu
Arman Dwi PangestuJanuary 27, 2026
0 views
8 min read

Introduction

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. The goal of DoH is to increase user privacy and security by preventing eavesdropping and manipulation.

With DoH we can bypass ISP DNS filtering and censorship, as well as improve privacy by encrypting DNS queries. Like in Indonesian case, some ISPs block access to certain websites by filtering DNS queries, e.g., reddit.com.

Here an example how dns query for reddit.com is blocked by ISP DNS:

bash
dig reddit.com @8.8.8.8

The output will be like this:

bash
; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> reddit.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12044
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;reddit.com.                    IN      A
 
;; ANSWER SECTION:
reddit.com.               0       IN      CNAME   internetpositif.id.
internetpositif.id.     0       IN      A       36.86.63.185
 
;; Query time: 8 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Tue Jan 27 00:59:39 WIB 2026
;; MSG SIZE  rcvd: 87

So in this post, I will show you how to configure Mikrotik RouterOS to use DNS over HTTPS (DoH) to bypass ISP DNS filtering.

Prerequisites

Here are the prerequisites for this guide:

Hardware and Software

I use Mikrotik RB750Gr3 model with RouterOS v6.48.4 installed.

Certificate Authority (CA) Installation

Why we need to install CA certificate? Because DoH is basically running DNS under HTTPS (TLS), when used HTTPS, it's mean have TLS Certificate verification process. The problem is, by default Mikrotik RouterOS doesn't have any CA certificate installed like trust store in Common OS, so we need to install CA certificate first.

To install CA certificate, you can follow this steps:

Login to your Mikrotik using Winbox or SSH

Login to your Mikrotik RouterOS using Winbox or SSH client. Here an example using SSH client:

bash
ssh arman@mikrotik.home.internal

The output will be like this:

Mikrotik Shell
  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK
 
  MikroTik RouterOS 6.48.4 (c) 1999-2021       http://www.mikrotik.com/
 
[?]             Gives the list of available commands
command [?]     Gives help on the command and list of arguments
 
[Tab]           Completes the command/word. If the input is ambiguous,
                a second [Tab] gives possible options
 
/               Move up to base level
..              Move up one level
/command        Use command at the base level
 
[arman@Home] >

Download CA & Import

Open Terminal and run this command to download & import CA certificate from curl.se/docs/caextract.html (Mozilla CA Certificate Store):

Mikrotik Shell
/tool fetch url=https://curl.se/ca/cacert.pem
/certificate import file-name=cacert.pem

Note

When import the certificate, it will be show an prompt to enter the passphrase, you can leave blank the value and just press Enter. The passphrase is only needed when the certificate is encrypted.

The output will be like this:

Mikrotik Shell
[arman@Home] > /tool fetch url=https://curl.se/ca/cacert.pem
      status: finished
  downloaded: 219KiBz pause]
       total: 219KiB
    duration: 1s
 
[arman@Home] > /certificate import file-name=cacert.pem
passphrase:
     certificates-imported: 144
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0

To verify the CA certificate is installed correctly, you can run this command:

Mikrotik Shell
/certificate print

It will show the list of installed certificates, make sure you see cacert.pem in the list:

Mikrotik Shell
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
 #         NAME                                       COMMON-NAME                                      SUBJECT-ALT-NAME                                                                   FINGERPRINT
 0       T ca.crt_0                                   Easy-RSA CA                                                                                                                         4ff905a2f4b8eaba08bd542bc7506e9bf30dd7bb92788...
 1 K     T mikrotik.crt_0                             mikrotik                                                                                                                            45d8ea690b9722cfaa7686f124f8933c184e5712f2555...
 2       T cacert.pem_0                               Entrust Root Certification Authority                                                                                                73c176434f1bc6d5adf45b0e76e727287c8de57616c1e...
 3       T cacert.pem_1                               QuoVadis Root CA 2                                                                                                                  85a0dd7dd720adb7ff05f83d542b209dc7ff4528f7d67...
 4       T cacert.pem_2                               QuoVadis Root CA 3                                                                                                                  18f1fc7f205df8adddeb7fe007dd57e3af375a9c4d8d7...
 5       T cacert.pem_3                               DigiCert Assured ID Root CA                                                                                                         3e9099b5015e8f486c00bcea9d111ee721faba355a89b...
 6       T cacert.pem_4                               DigiCert Global Root CA                                                                                                             4348a0e9444c78cb265e058d5e8944b4d84f9662bd26d...
 7       T cacert.pem_5                               DigiCert High Assurance EV Root CA                                                                                                  7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00...
 8       T cacert.pem_6                               SwissSign Gold CA - G2                                                                                                              62dd0be9b9f50a163ea0f8e75c053b1eca57ea55c8688...
 9  L    T cacert.pem_7                               SecureTrust CA                                                                                                                      f1c1b50ae5a20dd8030ec9f6bc24823dd367b5255759b...
10  L    T cacert.pem_8                               Secure Global CA                                                                                                                    4200f5043ac8590ebb527d209ed1503029fbcbd41ca1b...
...
135       T cacert.pem_133                             TWCA CYBER Root CA                                                                                                                  3f63bb2814be174ec8b6439cf08d6d56f0b7c405883a5.>
136       T cacert.pem_134                             SecureSign Root CA12                                                                                                                3f034bb5704d44b2d08545a02057de93ebf3905fce721.>
137       T cacert.pem_135                             SecureSign Root CA14                                                                                                                4b009c1034494f9ab56bba3ba1d62731fc4d20d8955ad.>
138       T cacert.pem_136                             SecureSign Root CA15                                                                                                                e778f0f095fe843729cd1a0082179e5314a9c29144280.>
139  L    T cacert.pem_137                             D-TRUST BR Root CA 2 2023                                                                                                           0552e6f83fdf65e8fa9670e666df28a4e21340b510cbe.>
140       T cacert.pem_138                             TrustAsia TLS ECC Root CA                                                                                                           c0076b9ef0531fb1a656d67c4ebe97cd5dbaa41ef4459.>
141       T cacert.pem_139                             TrustAsia TLS RSA Root CA                                                                                                           06c08d7dafd876971eb1124fe67f847ec0c7a158d3ea5.>
142  L    T cacert.pem_140                             D-TRUST EV Root CA 2 2023                                                                                                           8e8221b2e7d4007836a1672f0dcc299c33bc07d316f13.>
143       T cacert.pem_141                             SwissSign RSA TLS Root CA 2022 - 1                                                                                                  193144f431e0fddb740717d4de926a571133884b4360d.>
144       T cacert.pem_142                             OISTE Server Root ECC G1                                                                                                            eec997c0c30f216f7e3b8b307d2bae42412d753fc8219.>
145       T cacert.pem_143                             OISTE Server Root RSA G1                                                                                                            9ae36232a5189ffddb353dfd26520c015395d22777dac.>

Configure DoH Client

Now we can configure DoH client on Mikrotik RouterOS.

Choose DoH Provider

There are many DoH providers available, some of the popular ones are:

In this case I will choose AdGuard as DoH provider. There's also have some variants, e.g.:

VariantEndpoint DoHDescription
Defaulthttps://dns.adguard-dns.com/dns-queryDefault AdGuard DoH (Block Ads + Trackers + Phising)
Family Protectionhttps://family.adguard-dns.com/dns-queryDefault + Block Adult Content + Safe Search
Non-Filteringhttps://unfiltered.adguard-dns.com/dns-queryNo Filtering at all

Here are some detail about Default variant, you can see on adguard-dns.io/kb/general/dns-providers:

ProtocolAddress
DNS, IPv494.140.14.14 and 94.140.15.15
DNS, IPv62a10:50c0::ad1:ff and 2a10:50c0::ad2:ff
DNS-over-HTTPShttps://dns.adguard-dns.com/dns-query
DNS-over-TLStls://dns.adguard-dns.com
DNS-over-QUICquic://dns.adguard-dns.com
DNSCrypt, IPv4Provider: 2.dnscrypt.default.ns1.adguard.com IP: 94.140.14.14:5443
DNSCrypt, IPv6Provider: 2.dnscrypt.default.ns1.adguard.com IP: [2a10:50c0::ad1:ff]:5443

Set DNS (DoH + Bootstrap)

After choose the DoH provider, now we can set the DNS configuration on Mikrotik RouterOS. To do that, run this command on Terminal:

Mikrotik Shell
/ip dns set \
  servers=94.140.14.14,94.140.15.15 \
  use-doh-server="https://dns.adguard-dns.com/dns-query" \
  verify-doh-cert=yes \
  allow-remote-requests=yes

Now we need to add static DNS entry for dns.adguard-dns.com to resolve the DoH server address using the bootstrap DNS servers:

Note

The static DNS entry is needed to avoid circular dependency, because the DoH server address need to be resolved first before we can use DoH to resolve other DNS queries.

Mikrotik Shell
/ip dns static
  add name=dns.adguard-dns.com address=94.140.14.14 ttl=1d
  add name=dns.adguard-dns.com address=94.140.15.15 ttl=1d

Verify DoH is Working

Before we verify DoH is working, first we need to reboot and flush the DNS cache on RouterOS it self and on your devices also (like laptop clear cache browser) to remove any cached DNS entries:

Tip

RouterOS keeps DNS cache and active resolver sessions in memory. After switching to DNS over HTTPS, the router may still use cached DNS responses or existing resolver connections.


Clearing the DNS cache ensures that all DNS queries use the new DoH resolver, while rebooting the router fully resets DNS runtime state, TLS sessions, and bootstrap resolution.

Reboot Mikrotik RouterOS

Mikrotik Shell
/system reboot

Flush DNS Cache

After the Mikrotik RouterOS is back online, run this command to flush the DNS cache:

Mikrotik Shell
/ip dns cache flush

Sniff DNS Traffic

To verify that DNS over HTTPS is working, we can sniff the DNS traffic on Mikrotik RouterOS using Sniffer tool. Run this command on Terminal:

Tip

Make sure to change the interface value to the interface that connected to the internet, e.g., ether1, wan, etc.

Mikrotik Shell
/tool sniffer quick interface=ether1 port=53

If there's no DNS traffic on port 53, it means the DoH is working correctly.

Mikrotik Shell
INTERFACE       TIME    NUM DIR SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS                         DST-ADDRESS                         PROTOCOL   SIZE CPU FP

Caution

If the sniffer shows DNS traffic on port 53 and run under protocol udp, it means the DoH is not working correctly. Here are example output when DoH is not working:

Mikrotik Shell
INTERFACE   TIME        NUM     DIR     SRC-MAC             DST-MAC             VLAN    SRC-ADDRESS             DST-ADDRESS             PROTOCOL    SIZE    CPU     FP
ether1      6.871         1     ->      XX:XX:XX:XX:XX:XX   YY:YY:YY:YY:YY:YY           172.16.32.1:46830       1.1.1.1:53 (dns)        ip:udp      89      0       no
ether1      6.886         2     <-      YY:YY:YY:YY:YY:YY   XX:XX:XX:XX:XX:XX           1.1.1.1:53 (dns)        172.16.32.1:46830       ip:udp      154     3       no
ether1      10.267        3     ->      XX:XX:XX:XX:XX:XX   YY:YY:YY:YY:YY:YY           172.16.32.1:50410       1.1.1.1:53 (dns)        ip:udp      80      0       no
ether1      10.267        4     ->      XX:XX:XX:XX:XX:XX   YY:YY:YY:YY:YY:YY           172.16.32.1:38817       1.1.1.1:53 (dns)        ip:udp      80      0       no
ether1      10.27         5     <-      YY:YY:YY:YY:YY:YY   XX:XX:XX:XX:XX:XX           1.1.1.1:53 (dns)        172.16.32.1:50410       ip:udp      158     1       no
ether1      10.27         6     <-      YY:YY:YY:YY:YY:YY   XX:XX:XX:XX:XX:XX           1.1.1.1::53 (dns)       172.16.32.1:38817       ip:udp      204     1       no
ether1      10.273        8     ->      XX:XX:XX:XX:XX:XX   YY:YY:YY:YY:YY:YY           172.16.32.1:42068       1.0.0.0::53 (dns)       ip::udp     77      0       no
ether1      10.277       10     <-      YY:YY:YY:YY:YY:YY   XX:XX:XX:XX:XX:XX           1.0.0.0::53 (dns)       172.16.32.1:33532       ip:udp      127     1       no
ether1      11.471       11     ->      XX:XX:XX:XX:XX:XX   YY:YY:YY:YY:YY:YY           172.16.32.1:45603       1.0.0.1::53 (dns)       ip::udp     70      0       no

Tried Access Blocked Site

Now we can try to access the blocked site again, e.g., reddit.com:

Note

Change the DNS server address to point to your Mikrotik RouterOS IP address. In my case it's mikrotik.home.internal which resolve to 10.10.10.254.

bash
dig reddit.com @mikrotik.home.internal

The output will be like this:

bash
; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> reddit.com @mikrotik.home.internal
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9242
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
 
;; QUESTION SECTION:
;reddit.com.                    IN      A
 
;; ANSWER SECTION:
reddit.com.             197     IN      A       151.101.1.140
reddit.com.             197     IN      A       151.101.65.140
reddit.com.             197     IN      A       151.101.193.140
reddit.com.             197     IN      A       151.101.129.140
 
;; Query time: 2 msec
;; SERVER: 10.10.10.254#53(mikrotik.home.internal) (UDP)
;; WHEN: Tue Jan 27 02:46:58 WIB 2026
;; MSG SIZE  rcvd: 92

Tried Access Ads Site

Now we can try to access an ads site that usually blocked by AdGuard DNS, e.g., doubleclick.net:

bash
dig doubleclick.net @mikrotik.home.internal

This will resolve to 0.0.0.0 because AdGuard DNS is blocking the ads site:

bash
; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> doubleclick.net @mikrotik.home.internal
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57294
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
 
;; QUESTION SECTION:
;doubleclick.net.               IN      A
 
;; ANSWER SECTION:
doubleclick.net.        3523    IN      A       0.0.0.0
 
;; Query time: 2 msec
;; SERVER: 10.10.10.254#53(mikrotik.home.internal) (UDP)
;; WHEN: Tue Jan 27 02:54:33 WIB 2026
;; MSG SIZE  rcvd: 49

But when tried to query to doubleclick.net using Google DNS, it will resolve to the real IP address:

bash
dig doubleclick.net @8.8.8.8

The output will be like this:

bash
; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> doubleclick.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17179
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;doubleclick.net.               IN      A
 
;; ANSWER SECTION:
doubleclick.net.        296     IN      A       172.217.194.139
doubleclick.net.        296     IN      A       172.217.194.100
doubleclick.net.        296     IN      A       172.217.194.102
doubleclick.net.        296     IN      A       172.217.194.113
doubleclick.net.        296     IN      A       172.217.194.101
doubleclick.net.        296     IN      A       172.217.194.138
 
;; Query time: 7 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Tue Jan 27 02:56:31 WIB 2026
;; MSG SIZE  rcvd: 140

Access dnsleaktest.com

Or you can also verify your DNS using dnsleaktest.com:

Conclusion

In this post, we have successfully configured Mikrotik RouterOS to use DNS over HTTPS (DoH) using AdGuard DNS as the DoH provider. By using DoH, we can bypass ISP DNS filtering and censorship, as well as improve privacy by encrypting DNS queries.

We have also verified that DoH is working correctly by sniffing DNS traffic and accessing blocked sites. You can choose other DoH providers as well, just make sure to adjust the configuration accordingly.

Happy Hacking! 🎉


Related Posts