Implementing DNS over HTTPS (DoH) on MikroTik routers to avoid man in the middle attacks


Creative Team
User ID
7 Jan 2019
Reaction score
Starting from RouterOS version v6.47 it is possible to use DNS over HTTPS (DoH). DoH uses the HTTPS protocol to send and receive DNS requests for better data integrity. Its main goal is to provide privacy by eliminating man-in-the-middle attacks (MITM). Currently, DoH is not compatible with FWD type static entries, to utilise FWD entries, DoH must not be configured.

DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This problem can be remedied by implementing DNS over HTTPS.

Importing the root CA certificate of the DoH server you have chosen to use for increased security is advised.
Warning: We strongly suggest to not use third party download links for certificate fetching. Use the Certificate Authority own website.

There are various ways to find out what root CA certificate is necessary. The easiest way is by using your WEB browser, navigating to the DoH site and checking the website's security. Using Firefox we can see that DigiCert Global Root CA is used by the CloudFlare DoH server. You can download the certificate straight from the browser or navigate to DigiCert website and fetch the certificate from a trusted source.

Download the certificate and import it:
Rich (BB code):
/tool fetch url=""
/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=""
Configure the DoH server:
Rich (BB code):
/ip dns set use-doh-server= verify-doh-cert=yes
Note that you need at least one regular DNS server configured for the router to resolve the DoH hostname itself. If you do not have any dynamical or static DNS server configured, configure it like this:
Rich (BB code):
/ip dns set servers=

Based on MikroTik guide

You would also need to configure as a static DNS entry, in order the MikroTik would know where to connect to the DoH Server:
/ip dns static
add address=2606:4700::6810:f8f9 type=AAAA
add address=2606:4700::6810:f9f9 type=AAAA
add address=
add address=
Last edited:
 Short URL: