below setting for pornography block and adds also way to using the DOH Dns over HTTPs.
this for beginner how to ,
1- you need to use only Mikrotik DNS , and block all access to any DNS request if clients change them DNS.
the input interface its ether1 and local network 192.168.88.0/24 for this example.
Redirect all DNS to mikrotik.
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=ether1 src-address=192.168.88.0/24
add action=redirect chain=dstnat dst-port=53 protocol=udp
GREEN LIST IPS
if you want remove google DNS in case if you want to block access it
Code: Select all
/ip firewall address-list
add address=8.8.8.0/24 list=GREEN
add address=1.1.1.0/24 list=GREEN
add address=192.168.88.0/24 list=GREEN
Code: Select all
/ip firewall filter
add action=drop chain=input icmp-options=8:0-255 in-interface=ether1 protocol=icmp src-address-list=!GREEN
add action=drop chain=input dst-port=53 protocol=udp src-address-list=!GREEN
add action=drop chain=input dst-port=53 protocol=tcp src-address-list=!GREEN
now for test if step 2 not done and there is no IP DNS in Mikrotik ,
there is no page will open or sites DNS translation , its mean all firewall setup OK we can move to step 2
2-Setting the Cloudflare DNS
Cloudflare they have three DNS
1.1.1.1 for normal DNS without any blocking.
1.1.1.2 Block malware
1.1.1.3 Block malware and adult content
setting the Mikrotik DNS without DOH this for Block malware and adult content
Code: Select all
/ip dns
set allow-remote-requests=yes servers=1.1.1.3
Same of. normal DNS Cloudflare they have three DOH
Code: Select all
https://cloudflare-dns.com/dns-query
Code: Select all
https://security.cloudflare-dns.com/dns-query
Code: Select all
https://family.cloudflare-dns.com/dns-query
before add DOH we need to import DNS ROOT certification
Code: Select all
/tool fetch url="https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem"
/certificate import file-name=DigiCertGlobalRootCA.crt.pem
then press enter for passphrase
Code: Select all
/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
Code: Select all
/ip dns set servers=1.1.1.3 use-doh-server=https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes
Tested and work 100% but my issues how to block and DOH or DOT request from users they can by pass DNS blocking via use DNS. over HTTPS.