Year is 2023 and most of the internet traffic is done via HTTPS(secured) but most home connections use their ISP DNS that is, in 90% of the cases unsecured. This means your ISP can still “see” what websites you are visiting, because DNS is not encrypted by default, requests are transmitted over plain text.
Generally speaking, anyone listening on the wire can intercept standard DNS queries from your home network. Your ISP, attacker or even a script kidde cand do it.
Enter DoH (DNS over HTTPS) or DoT(DNS over TLS)
More details about DOH can be found here, i will not explain everything related to it since this is beyond this article’s purpose.
In this article we will setup DoH on a mikrotik router using one of the faster DNS resolvers, cloudflare’s 1.1.1.1
Login to your Mikrotik router and check for the latest stable version. At the time of writing 7.4.6 is the latest, but this feature can be setup since 6.4.9
Next, open Mikrotik’s Winbox and go to new terminal and write
/tool fetch url=https://curl.se/ca/cacert.pem
hit enter and wait for the cert to download. Then, we have to import it with the bellow command
/certificate import file-name=cacert.pem passphrase=””
Then, we have to use 1.1.1.1 as our DNS resolver and use DoH. All this can be done with one command
/ip dns set allow-remote-requests=yes cache-size=8192KiB max-concurrent-queries=1000 max-concurrent-tcp-sessions=2000 servers=1.1.1.1 use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
Now, assuming your mikrotik router is also your internal DNS all requests will go trough it via DoH. To check that this works, go from any PC on your LAN to https://1.1.1.1/help and voila, you shoud see “Using DNS over HTTPS (DoH) — Yes”
