Introduction

This article describes how to configure your MikroTik router using RouterOS to send encrypted DNS queries to Quad9 using DNS over HTTPS.

RouterOS >=6.4.7 is required. These instructions were tested using RouterOS 7.1.3.

Steps

1. Connect to your MikroTik router's management interface via SSH or console. The username and password will be the same as if using Webfig (GUI).

2. In order for MikroTik to perform certificate verification of the Quad9 DNS over HTTPS domain, we need to download and import the DigiCert Global Root CA certificate.

Download the certificate to your MikroTik router:

/tool/fetch mode=https url="https://support.quad9.net/hc/en-us/article_attachments/4618235579021/digicert-root-ca.pem"

Import the certificate into the local certificate store. When prompted for a passphrase, just hit enter for no passphrase:

/certificate/import file-name=digicert-root-ca.pem

The resulting output should be:

passphrase: 
certificates-imported: 1
private-keys-imported: 0
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0

3. Log into Webfig (GUI), and navigate to IP -> DNS on the left-side menu.
4. In the Servers field, set:

  • 9.9.9.9
  • 149.112.112.112
  • 2620:fe::fe
  • 2620:fe::9

    Note: If your network does not have IPv6, which you can test here, then the IPv6 addresses should not be added, as it may result in a percentage of your DNS requests failing.

5. Use DoH Server: https://dns.quad9.net/dns-query
6. Verify DoH Certificate: Enabled
7. Allow Remote Requests: Enabled
Note: It's recommended to prevent non-local IP address from querying the MikroTik router directly by creating the appropriate firewall rules.

8. Click Apply at the top.

mceclip0.png

Confirm Configuration

To confirm that the MikroTik router is sending DNS queries to Quad9 using DNS over HTTPS, you can use the packet sniffer tool to filter for packets being sent to/from Quad9 IP addresses using port 443 (HTTPS):

tool/sniffer/quick port=443 ip-address=9.9.9.9,149.112.112.112

If DNS queries sent to the MikroTik router are being forwarded to Quad9 using DNS over HTTPS, you will see any output.

tool/sniffer/quick port=443 ip-address=9.9.9.9,149.112.112.112
Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, SIZE, CPU
INTERFACE TIME NUM DIR SRC-MAC DST-MAC SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU
ether1 6.886 5 <- 04:F0:21:45:C9:0C 08:00:27:7D:3B:33 9.9.9.9:443 (https) 192.168.1.222:59348 ip:tcp 66 0
ether1 6.887 6 <- 04:F0:21:45:C9:0C 08:00:27:7D:3B:33 9.9.9.9:443 (https) 192.168.1.222:59348 ip:tcp 1514 0
ether1 6.887 7 -> 08:00:27:7D:3B:33 04:F0:21:45:C9:0C 192.168.1.222:59348 9.9.9.9:443 (https) ip:tcp 66 0
ether1 6.887 8 <- 04:F0:21:45:C9:0C 08:00:27:7D:3B:33 9.9.9.9:443 (https) 192.168.1.222:59348 ip:tcp 1514 0
ether1 6.887 9 -> 08:00:27:7D:3B:33 04:F0:21:45:C9:0C 192.168.1.222:59348 9.9.9.9:443 (https) ip:tcp 66 0

If you do not yet have endpoints using the MikroTik router for DNS, you can manually query the MikroTik router to facilitate testing and checking for the output generated above from Terminal (Linux/macOS) or Command Prompt (Windows), replacing 192.168.1.1 with the LAN IP address of your MikroTik router.

nslookup quad9.net 192.168.1.1