Community discussions

MikroTik App
 
swits1109
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Sat Sep 10, 2016 6:03 pm

Automating DoH

Thu Nov 17, 2022 10:44 am

I have found this awesome guide on how to set up DoH: https://jcutrer.com/howto/networking/mi ... over-https

But, it is a bit out of date and the steps are manual in the GUI instead of automated with a script. Can someone help automate the remaining steps I need in the <> brackets?

/tool fetch url=https://curl.se/ca/cacert.pem
/certificate import file-name=cacert.pem passphrase=””
<ASKS FOR PASSWORD, NEED TO REMOVE THIS PROMPT>
<REMOVE EXISTING DNS SERVERS IF THEY EXIST>
<Add 2 Static DNS Entries for cloudflare-dns.com to Address: 104.16.248.249 and 104.16.249.249>
<ADD DOH SERVER TO https://cloudflare-dns.com/dns-query>
<CHECK VERIFY BOX>
<CHECK ALLOW REMOTE REQUESTS BOX>
 
kangarie
just joined
Posts: 24
Joined: Mon Apr 17, 2017 7:28 am

Re: Automating DoH

Thu Nov 17, 2022 1:09 pm

i think you can just use this script
/ip dns set allow-remote-requests=yes servers="" use-doh-server=https://1.1.1.1/dns-query
no static dns and no certificate validation needed
Last edited by kangarie on Sat Nov 19, 2022 10:40 am, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Automating DoH

Thu Nov 17, 2022 1:57 pm

Yes, because 1.1.1.1 cert already contain also the IP 1.1.1.1 as alternate name
For example https://one.one.one.one/dns-query do not work without standard server because first must resolve one.one.one.one with the standard DNS.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Automating DoH

Thu Nov 17, 2022 2:54 pm

@kangarie: "no certificate validation" = any MITM can present fake certificate and then see or even modify everything you're sending and receiving. If that's your goal, fine, enjoy. But otherwise it's better to have verification enabled.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Automating DoH

Fri Nov 18, 2022 7:46 am

no static dns and certificate validation needed
As in

(no static dns) and (certificate validation needed) -> You need certificate validation
or
(no static dns) and (no certificate validation needed) -> You dont need certificate validation

As other write. You should have normal DNS setup and working to make sure you use an URL without IP, so that you can use a Certificate with DoO
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Automating DoH

Mon Nov 21, 2022 6:19 pm

You can use the query url with ip address ("https://1.1.1.1/dns-query" ) and enable certificate verification. As the ip address is stored as alternative subject name inside the certificated this works. No static dns required, but you need to import the correct CA certificate (which is "DigiCert Global Root CA" for Cloudflare).
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Automating DoH

Mon Nov 21, 2022 6:23 pm

This should do the job for perfectly secure dns via Cloudflare:
/tool/fetch https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem;
/certificate import file=DigiCertGlobalRootCA.crt.pem passphrase="";
/ip/dns/set use-doh-server="https://1.1.1.1/dns-query" verify-doh-cert=yes;

Who is online

Users browsing this forum: drpioneer and 25 guests