Adlist rb750gr3 v 7.22

Campolide · May 23, 2026, 8:15pm

I added 3 lists, from the normal import with certificate and match but it doesn't block, what can it be? NextDNS DOH use. I wanted to reduce blocking before arriving at NextDNS

BartoszP · May 23, 2026, 8:24pm

Hi,

Misconfiguration?

Campolide · May 24, 2026, 12:00am

Continuing the discussion from Adlist rb750gr3 v 7.22:

segue conf:

/ip dns print
servers: 2a07:a8c0::
2a07:a8c1::
45.90.28.0
45.90.30.0
45.90.28.39
45.90.30.39
9.9.9.11
dynamic-servers:
use-doh-server: https://dns.nextdns.io/xxxxx

verify-doh-cert: yes
doh-max-server-connections: 50
doh-max-concurrent-queries: 200
doh-timeout: 5s
allow-remote-requests: yes
max-udp-packet-size: 4096
query-server-timeout: 5s
query-total-timeout: 15s
max-concurrent-queries: 900
max-concurrent-tcp-sessions: 400
cache-size: 149192KiB
cache-max-ttl: 1h
address-list-extra-time: 0s
vrf: main
mdns-repeat-ifaces:
cache-used: 64779KiB

Campolide · May 24, 2026, 12:07am

Continuing the discussion from Adlist rb750gr3 v 7.22:

segue conf:

/ip dns print
servers: 2a07:a8c0::
2a07:a8c1::
45.90.28.0
45.90.30.0
45.90.28.39
45.90.30.39
9.9.9.11
dynamic-servers:
use-doh-server: https://dns.nextdns.io/xxxxx

verify-doh-cert: yes
doh-max-server-connections: 50
doh-max-concurrent-queries: 200
doh-timeout: 5s
allow-remote-requests: yes
max-udp-packet-size: 4096
query-server-timeout: 5s
query-total-timeout: 15s
max-concurrent-queries: 900
max-concurrent-tcp-sessions: 400
cache-size: 149192KiB
cache-max-ttl: 1h
address-list-extra-time: 0s
vrf: main
mdns-repeat-ifaces:
cache-used: 64779KiB

MikroTik RouterOS 7.23rc4

/system package update print
channel: testing
mode: https
check-certificate: yes
ip-version: auto
installed-version: 7.23rc4
latest-version: 7.23rc4
status: System is already up to date

https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.plus.txt

hasmidzul · May 24, 2026, 2:48am

https://raw.githubusercontent.com/hagezi/dns-blocklists/main/hosts/pro.plus.txt

Use this instead.I believed mikrotik use host TYPE blocklist

Campolide · May 24, 2026, 1:11pm

I implemented these lists, but they are not blocking the traffic - The rules are registering matches (match count is going up), but the traffic is still not being blocked

https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

https://badmojr.github.io/1Hosts/Lite/hosts.txt

https://someonewhocares.org/hosts/zero/

https://badmojr.github.io/1Hosts/Lite/hosts.txt

Campolide · May 24, 2026, 3:24pm

This feature is not working with IPv6. Is there a way to configure it for IPv6? Additionally, it also failed to work using IPv4

hasmidzul · May 25, 2026, 5:07am

did you configure client redirect to your router dns?

Redirect DNS queries to router: 

/ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=53 
/ip firewall nat add chain=dstnat action=redirect protocol=udp dst-port=53

Campolide · May 25, 2026, 8:26pm

"I had to disable DoH in my DNS settings and deploy these firewall rules instead to block external DoH servers. It feels like a downgrade, since running DoH directly on the router provided encrypted DNS and was way faster.

TCP Rule specifying port 443

/ip firewall filter add chain=forward protocol=tcp dst-port=443 dst-address-list=doh-servers action=reject reject-with=tcp-reset comment="Block DoH - TCP 443"

UDP Rule specifying port 443 (For DoH over QUIC/HTTP3)

/ip firewall filter add chain=forward protocol=udp dst-port=443 dst-address-list=doh-servers action=reject reject-with=icmp-network-unreachable comment="Block DoH - UDP 443"

Cloudflare (Privacidade e Velocidade)

URL: https://cloudflare-dns.com/dns-query ou https://1.1.1.1/dns-query
IPv4: 1.1.1.1 e 1.0.0.1
IPv6: 2606:4700:4700::1111 e 2606:4700:4700::1001

2. NextDNS (Filtros Personalizados)

URL: https://dns.nextdns.io/sua_id
IPv4: 45.90.28.0 e 45.90.30.0
IPv6: 2a07:a8c0:: e 2a07:a8c1::

3. Google Public DNS

URL: https://dns.google/dns-query
IPv4: 8.8.8.8 e 8.8.4.4
IPv6: 2001:4860:4860::8888 e 2001:4860:4860::8844

4. Quad9 (Segurança e Bloqueio de Malware)

URL: https://dns.quad9.net/dns-query
IPv4: 9.9.9.9 e 149.112.112.112
IPv6: 2620:fe::fe e 2620:fe::9

5. AdGuard DNS (Bloqueio de Anúncios e Trackers)

URL: https://dns.adguard.com/dns-query
IPv4: 94.140.14.14 e 94.140.15.15
IPv6: 2a10:50c0::ad1:ff e 2a10:50c0::ad2:ff

CGGXANNX · May 26, 2026, 2:25am

You don't need to disable DoH on the router if you only want to prevent the clients in your LAN from directly using DoH (btw you didn't filter DoT and DoQ). The drop rules you posted act on the forward chain and the router will still be able to connect to the NextDNS DoH server, because for that the input and output chain are the relevant ones.

Campolide · May 27, 2026, 2:31am

?

/ip firewall filter

DoH HTTPS TCP

add chain=forward protocol=tcp dst-port=443 dst-address-list=doh-servers action=reject reject-with=tcp-reset comment="Bloquear DoH TCP"

DoH HTTP3 / QUIC

add chain=forward protocol=udp dst-port=443 dst-address-list=doh-servers action=drop comment="Bloquear DoH QUIC"

DoT

add chain=forward protocol=tcp dst-port=853 action=drop comment="Bloquear DoT"

DoQ

add chain=forward protocol=udp dst-port=853 action=drop comment="Bloquear DoQ"