Implementing DNS over HTTPS (DoH) on MikroTik routers to avoid man in the middle attacks

[Andy]

Starting from RouterOS version v6.47 it is possible to use DNS over HTTPS (DoH). DoH uses the HTTPS protocol to send and receive DNS requests for better data integrity. Its main goal is to provide privacy by eliminating the man in the middle attacks (MITM). Currently, DoH is not compatible with FWD type static entries, in order to utilize FWD entries, DoH must not be configured.

DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This problem can be remedied by implementing DNS over HTTPS.

It is advised to import the root CA certificate of the DoH server you have chosen to use for increased security.

Warning: We strongly suggest to not use third party download links for certificate fetching. Use the Certificate Authority own website.

There are various ways to find out what root CA certificate is necessary. The easiest way is by using your WEB browser, navigating to the DoH site and checking the website's security. Using Firefox we can see that DigiCert Global Root CA is used by Cloudflare DoH server. You can download the certificate straight from the browser or navigate to DigiCert website and fetch the certificate from a trusted source.

Download the certificate and import it:

/tool fetch url="https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem"
/certificate import file-name=DigiCertGlobalRootCA.crt.pem

Configure the DoH server:

/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes

Note that you need at least one regular DNS server configured for the router to resolve the DoH hostname itself. If you do not have any dynamical or static DNS server configured, configure it like this:

/ip dns set servers=1.1.1.1

Based on MikroTik guide https://wiki.mikrotik.com/wiki/Manual:IP/DNS