Encrypt your DNS requests with MikroTik

Рет қаралды 39,512

Жыл бұрын

Sources and extra reading:
- help.nextdns.io/t/x2hmvas/wha...
- www.cloudflare.com/en-gb/lear...
Quick command line setup for NextDNS:
/tool fetch url=curl.se/ca/cacert.pem
/certificate import file-name=cacert.pem
/ip dns set servers=
/ip dns static add name=dns.nextdns.io address=45.90.28.0 type=A
/ip dns static add name=dns.nextdns.io address=45.90.30.0 type=A
/ip dns static add name=dns.nextdns.io address=2a07:a8c0:: type=AAAA
/ip dns static add name=dns.nextdns.io address=2a07:a8c1:: type=AAAA
/ip dns set use-doh-server=“dns.nextdns.io/fe4232” verify-doh-cert=yes
Redirect DNS queries to router:
/ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=53
/ip firewall nat add chain=dstnat action=redirect protocol=udp dst-port=53
Documentation link:
help.mikrotik.com/docs/displa...

Пікірлер: 70

@stevebot Жыл бұрын

Thanks for these video shorts, many are great for getting me started on all the little config features and tweaks that I don’t need to get a router working but are useful. Without these videos to jumpstart me, the little things always seem to stay on my todo list and never get done.

@foxglenacres Ай бұрын

this is great, the journey is slow but the power of these devies is top notch! Now i have encrypted dns :)

@linuxfornerds Жыл бұрын

Awesome video I was looking for a alternative doh to cloudflare and now testing nextdns thanks again and keep it up. Hope you guys cover layer 3 hardware offloading on your switches at some point would be good to have a quick video on how it should be setup.

@mikrotik Жыл бұрын

There is also Google DoH to try

@bartsimpson3483 Жыл бұрын

Hi Mikrotik team🤗, I really missed a video like this, I was really looking forward to a detailed video, 🤩thanks for this video🤩. I have a question. Are there plans to add DoQ (DNS over QUIC)? If so, how soon will it appear (approximately how soon)? Thanks for your attention😊🙂

@nelsonmeliancrosa1072 Жыл бұрын

Excellent!!!! and easy ;)

@willyelvis9369 Жыл бұрын

Thx for shared ❤

@MrLupoNino Жыл бұрын

1. How long is available the certificate from nextfdns? Shall we put the new cert when it expire? 2. How to redirect ipv6 dns request as there is no nat menu on ipv6>firewall on version 6

@BattousaiHBr Жыл бұрын

can we either have proper support for glue records or have FWD entries work in conjunction with DoH? because glue record doesn't work, i'm forced to use FWD, and because DoH doesn't work with FWD, i cant enable it.

@roxorbeton 11 ай бұрын

This settings will handle the external DNS communication behind the Mikrotik NAT firewall and what about local DNS server on Microsoft active directory, should be also changed, or it is not necessary to encrypt LAN DNS requests ? In my opinion it is not necessary in LAN network, because there many notebooks and portable devices, that users carry to home and office. This tutorial hides DNS requests behind Mikrotik router from LAN to internet only if I understand correctly...

@iamyulianto2 2 ай бұрын

Thank you Normis, but can we have multiple DoH entry on RouterOS just like the regular DNS?

@kikigak 11 ай бұрын

Have 2 days running and got 100k+ nextdns queries but on Analytics->Encrypted DNS(lower right) says zero percent. What DNS IP should be set on DHCP Server LAN side?

@nageebka2013 Жыл бұрын

Can the certificate be downloaded without a computer I only use the phone

@r4nd0mstuffed Жыл бұрын

Not working with having vlans active. There are no DNS declared on the vlans dhcp. There is ping out on the internet, but no DNS reach on the vlans. Any idea?

@profkwl775 6 ай бұрын

i just tried this and seems like "Redirect DNS queries to router" don't get traffic or packets. It's always 0 which i think none of the traffic passes thru that filter or settings.

@gosich Жыл бұрын

Pardon for my stupid question, but why using dstnat chain in the firewall rules? The docs say that "this type of NAT is performed on packets that are destined for the natted network". So to me it looks like the firewall will process packets coming from WAN interface to the local network. Why not srcnat?

@mikrotik Жыл бұрын

No, DST-NAT translates packets from any to any network. Including from LAN to router etc.

@gosich Жыл бұрын

@@mikrotik Thanks, it looks like documentation is somewhat confusing, because in some places it simplifies these definitions (src-nat and dst-nat) to most common use cases (like NAT and port forwarding), and in other places (like packet flow diagrams) they are used in many stages. Not to say that there are chains and actions named the same, but not necessarily go in pairs. Would be nice if docs did some clarification at the beginning of the topic/chapter.

@WIN4iG 10 ай бұрын

@@mikrotik If the DoH server goes down, my Mikrotik clients cannot access the sites, although 2 normal DNS are specified besides the DoH. Why can't regular DNS be used when not connected to DoH?

@oskarsfreimanis8192 4 ай бұрын

Good video. Works perfect. Exept fact that NextDNS is sending all trafic to RUSSIA Moscow servers. So there newer will be trust on NextDNS. And there are no way to change servers. But thanks for video. Good tutorial

@Ekz0rcyst Жыл бұрын

Thanks for video, but i have one question, - if i using pi-hole in my home network, what settings are needed in this case?

@mikrotik Жыл бұрын

as far as I know, PiHole itself does not support DoH, but you can use the NextDNS service like the video shows. It has the same functions as PiHole (like stop ads, block malware) and you don't need PiHole anymore

@JemiToShumafuk Жыл бұрын

@@mikrotik Pi-hole is more user manageable and efficient in filtering ads. I would also like to have pihole in between. Also for reducing traffic to NextDNS.

@i-town Жыл бұрын

Hi. "to be extra safe you can just drop port 53 in the firewall output chain". Ok, it must be "Src.Port" or "Dst.Port" ?

@mikrotik Жыл бұрын

Destination port

@lucasr4204 Жыл бұрын

Gives me error: DoH server connection error: Idle timeout - connecting I can't resolve

@ingecarlosrios 7 ай бұрын

Hi! I miss where can we get the ID mentioned at min 3:52 ?

@mikrotik 7 ай бұрын

When registering on NextDNS website

@gomgom330 5 ай бұрын

Still confused. if the ISP using transparent DNS, is setting up DNS on the mikrotik useless, coz we're forced to use the ISP's DNS

@mikrotik 5 ай бұрын

No, with DoH secure DNS, the ISP can't intercept it. This is the benefit of DoH.

@vadym.masiuk 12 күн бұрын

@@mikrotik meaning the same thing can be done by any device/user behind MikroTik in order to bypass DNS proxying enforced by firewall rule

@JemiToShumafuk Жыл бұрын

Is it possible to combine it with pi-hole in container?

@mikrotik Жыл бұрын

@JemiToShumafuk Жыл бұрын

@@mikrotik I meant to use it together. NextDNS DoH as upstream in pi-hole. I tried, but browser wont load anything back. However queries are filled both in pi-hole and NextDNS.

@JemiToShumafuk Жыл бұрын

@S K I prefer to reduce queries by first blocking in pi-hole (or AdGuard) and then sent DoH to NextDNS. I tried comination of both, but pihole queries are filled already with encrypted DoH adresses, so it is useless now. device -> pihole/adguard home -> DoH to NextDNS

@JemiToShumafuk Жыл бұрын

@S K What about client -> router -> pihole -> router -> DoH NextDNS -> internet ? Instead of using unbound that I cannot get to work properly I can send filtered DNS from pihole back to router and then encrypted to NextDNS. How can I achieve this? What firewall rules to use?

@xlion Жыл бұрын

And please improve the stability of ROS DOH

@piotrsulima8696 Жыл бұрын

And how to redirect all DNS queries to for example Pi-Hole - external DNS, not MT device.

@mikrotik Жыл бұрын

We have a video about PiHole kzfaq.info/get/bejne/i7OTfdZl1N-sdJ8.html

@piotrsulima8696 Жыл бұрын

@@mikrotik did you have something less complex, for example pointing DNS traffic to serwer and that serwer will be reachable from different bridges - different subnet?

@JemiToShumafuk Жыл бұрын

You mean custom upstream from pihole?

@piotrsulima8696 Жыл бұрын

@@JemiToShumafuk kzfaq.info/get/bejne/e8qqd6acq8fXm5c.html

@djsasha78 Жыл бұрын

Hello there. I watch your chennel since 2021. I am working as a system administrator now using MikroTik's router. This one has a lot of posibilities to improve the network. What about this video- I used nextdns but i would say this dns server isn't such secure for me. Many packets are transfered to nextdns and they are controlled by this server. Nobody guarantees that your personal information will be leaked. This is my IMHO. What can say the author of the video about this situation? Thanks for reply.

@mikrotik Жыл бұрын

This is clearly mentioned in the video itself

@michaelandrews4783 11 ай бұрын

Routeros is far better than openwrt and pfsense.

@midteknologi 10 ай бұрын

Mikrotik very unstable when using dns services like controld, nextdns and adguard dns cloud even use latest version 7

@mikrotik 10 ай бұрын

It’s not true. Email our support if you are seeing any problems. Maybe the configuration can be improved

@j7ndominica051 Жыл бұрын

Big corporations want this to become the standard so that we can't block advertisements with DNS anymore. So for every small name it would open and tear down an SSL connection with a big certificate?

@StahLHerZRocK Жыл бұрын

its joke video i think. DoH with Cert verify still have memory leak.

@mikrotik Жыл бұрын

No there isn’t any leaks. Make sure you have properly set up doh connection limits

@StahLHerZRocK Жыл бұрын

@@mikrotik just check forum for "DOH" and "Leak". Your support is aware of the issue. A bug was opened in Jira over a year ago(if I remember correctly). This summer it was closed but there were no changes in the releases at least up to 7.7. What about ROS 6 - there are no sense to wait fix i think.

@mikrotik Жыл бұрын

All known issues with DoH are fixed in latest releases. V6 is not updated anymore. Use v7.8

@StahLHerZRocK Жыл бұрын

@@mikrotik may be 7.8 fixed it. I have no statistic yet. its new release. This video recorded in 7.7 version time.

@mikrotik Жыл бұрын

In any case, there was no memory leak in 7.7 either. DoH simply had hardcoded limit on maximum number of connections, so when it was reached, it could cause issues. Now this parameter is configurable. Even 7.6 and 7.5 worked very well with DoH if you only had a few devices in your LAN

@unu5ua1 Жыл бұрын

@MikrotikLatvia DoH on Mikrotik broken many many years. Nextdns / Adguard / Google dns, any DoH dns, after a while, they start throwing errors "DoH max concurrent queries reached, ignoring query". On different devices with different architectures, including CHR. Endless threads on forums and on the Internet lead to dead ends. There is no solution. I just checked again with CHR 7.6 and the situation has not changed.

@unu5ua1 Жыл бұрын

max concurrent queries of course I changed to 500/1000/2000. it seems that this parameter does not work at all. In a small network of 5 PCs there cannot be that many requests.

@vketsenko Жыл бұрын

I don't have this problem on hap ac2 with cloud flare's DOH. I have max concurrent queries 100 and max concurrent tcp sessions 20

@mikrotik Жыл бұрын

Max queries setting does not apply to DoH, you are changing the setting without any reason. Leave it alone if you use DoH

@StahLHerZRocK Жыл бұрын

DoH has a more serious problem - it's a memory leak. All ros version include 7.7