how to correctly enable DNS over HTTPS

RouterOS Beginner Basics
1

Hi, I was looking at several forum posts and none of them helped me get DoH up and running. I’m wondering if someone can give me a tutorial or a script on how to enable dns over https with nextdns.
I tried this script and it did not work:

tool fetch url=https://curl.haxx.se/ca/cacert.pem
/certificate import file-name=cacert.pem passphrase=""
/ip dns set servers=
/ip dns static add name=dns.nextdns.io address=45.90.28.197 type=A
/ip dns static add name=dns.nextdns.io address=45.90.30.197 type=A
/ip dns static add name=dns.nextdns.io address=2a07:a8c0::id type=AAAA
/ip dns static add name=dns.nextdns.io address=2a07:a8c1::id type=AAAA
/ip dns set use-doh-server="https://dns.nextdns.io/id" verify-doh-cert=yes



Thanks in advance.
Greetings.

2

Clarify how you determined that “It did not work”

3

hello, i tried the following windows commands attached screenshots Thank you very much for the answer. Best regards.

removed
4

Address https://dns.nextdns.io/id is probably wrong. I have no previous experience with the service, but it seems that “id” should be replaced by some identifier you get from them by registering.

5

Hello thank you very much for the answer, yes I replace them with my nextdns id but it gives me that result.

6

The https://my.nextdns.io/ creates temporary account even without registering, so I did quick test with that, and it works. Only server addresses are slightly different:

/ip dns static add name=dns.nextdns.io address=45.90.28.0 type=A
/ip dns static add name=dns.nextdns.io address=45.90.30.0 type=A
/ip dns static add name=dns.nextdns.io address=2a07:a8c0:: type=AAAA
/ip dns static add name=dns.nextdns.io address=2a07:a8c1:: type=AAAA

But they probably give differerent ones to different users for load balancing. And id is some six characters long string.

One more idea, what RouterOS version you have? There’s currently some problem with certificates in v7 and it fails with verify-doh-cert=yes (see this thread).

You can also try more detailed logging:

/system logging add topics=dns
7

Check the forums, DoH on MikroTik is buggy. I stopped using it completely, plus DoH is dead anyway, we have ODoH now which is coming soon to popular stub/forwarders and you can already use some beta options: https://blog.cloudflare.com/oblivious-dns/

I use Pi-Hole for DNS Sinkholing with dnscrypt-proxy as the DNS forwarder for DoH, it’s essentially 5 months of up-time with no issues. Plays really nice with load balancing config as well albeit with some tricks with masquerade NAT among other things.

You could also use Unbound as a true recursive DNS server with DNSSec, but since it’s plain-text, your country/ISP could see and intercept/block. So I’d stick with dnscrypt-proxy or something similar.