...
| Property | Description |
|---|---|
| address (IPv4/IPv6) | The address that will be used for "A" or "AAAA" type records. |
| cname (string) | Alias name for a domain name. |
| forward-to | The IP address of a domain name server to which a particular DNS request must be forwarded. |
| mx-exchange (string) | The domain name of the MX server. |
| name (string) | Domain name. |
| srv-port (integer; Default: 0) | The TCP or UDP port on which the service is to be found. |
| srv-target | The canonical hostname of the machine providing the service ends in a dot. |
| text (string) | Textual information about the domain name. |
| type (A | AAAA | CNAME | FWD | MX | NS | NXDOMAIN | SRV | TXT ; Default: A) | Type of the DNS record. |
| address-list (string) | Name of the Firewall address list to which address must be dynamically added when some request matches the entry. Entry will be removed from the address list when TTL expires. |
| comment (string) | Comment about the domain name record. |
disabled (yes | no; Default: yes) | Whether the DNS record is active. |
match-subdomain (yes | no; Default: no) | Whether the record will match requests for subdomains. |
mx-preference (integer; Default: 0) | Preference of the particular MX record. |
ns (string) | Name of the authoritative domain name server for the particular record. |
regexp (POSIX regex) | Regular expression against which domain names should be verified. |
srv-priority (integer; Default: 0) | Priority of the particular SRV record. |
srv-weight (integer; Default: 0) | Weight of the particular SRV record. |
ttl (time; Default: 24h) | Maximum time-to-live for cached records. |
| Info |
|---|
For each static A and AAAA record, in cache automatically is added a PTR record. |
| Note |
|---|
Regexp is case-sensitive, but DNS requests are not case sensitive, RouterOS converts DNS names to lowercase before matching any static entries. You should write regex only with lowercase letters. Regular expression matching is significantly slower than plain text entries, so it is advised to minimize the number of regular expression rules and optimize the expressions themselves. |
...
There are various ways to find out what root CA certificate is necessary. The easiest way is by using your WEB browser, navigating to the DoH site, and checking the security of the website. Using, for example, Firefox we can see that DigiCert Global Root CA is used by the Cloudflare DoH server. You can download the certificate straight from the browser or navigate to the DigiCert website and fetch the certificate from a trusted source.
Download the certificate, upload it to your router and import it:
| Code Block | ||
|---|---|---|
| ||
/certificate import file-name=DigiCertGlobalRootCA.crt.pemCertificateFileName |
Configure the DoH server:
| Code Block | ||
|---|---|---|
| ||
/ip dns set use-doh-server=https://cloudflare-dns.com/dns-queryDoH_Server_Query_URL verify-doh-cert=yes |
Note that you need at least one regular DNS server configured for the router to resolve the DoH hostname itself. If you do not have any dynamical or static DNS server configured, add a static DNS entry for the DoH server domain name like this:
| Code Block | ||
|---|---|---|
| ||
/ip dns set servers=1.1.1.1 |
| Tip |
|---|
RouterOS prioritizes DoH over the DNS server if both are configured on the device. |
If you do not have any dynamical or static DNS server configured, add a static DNS entry for the DoH server domain name like this:
| Code Block | ||
|---|---|---|
| ||
/ip dns static add address=IP_Address name=Domain_Name |
| Tip |
|---|
RouterOS prioritizes DoH over the DNS server if both are configured on the device. |
| Tip |
|---|
If / |
| Tip |
If /certificate/settings/set crl-use is set to yes, RouterOS will check CRL for each certificate in a certificate chain, therefore, an entire certificate chain should be installed into a device - starting from Root CA, intermediate CA (if there are such), and certificate that is used for specific service. For example, Google DoH, Cloudflare, and OpenDNS full chain contains contain three certificates, Cloudflare has three certificates, and NextDNS has four certificates NextDNS has four certificates. |
Known compatible/incompatible DoH services
Compatible DoH services:
Cloudflare
Google
NextDNS
OpenDNS
Incompatible DoH services:
Mullvad
- Yandex
Adlist
Adlist is an integral component of network-level ad blocking, comprising a curated collection of domain names known for serving advertisements. This feature operates by utilizing Domain Name System (DNS) resolution to intercept requests to these domains. When a client device queries a DNS server for a domain listed on the adlist, the DNS resolution process is altered. Instead of returning the actual IP address of the ad-serving domain, the DNS server responds with the IP address 0.0.0.0. This effectively null-routes the request, as 0.0.0.0 is a non-routable meta-address used to denote an invalid, unknown, or non-applicable target. By redirecting ad-related requests in this manner, the adlist feature ensures that advertisement content is not loaded, enhancing network performance and improving the user experience by reducing unwanted ad traffic.
| Note |
|---|
Before configuring, increase the DNS cache as it's used to store adlist entries. If limit is reached and error in DNS,error topic is printed "adlist read: max cache size reached" |
| Property | Description |
|---|---|
| url | Used to specify the URL of an adlist. |
| ssl-verify | Specifies whether to validate the server's SSL certificate when connecting to an online resource. Will use the "/certificate" list in order to verify server validity. |
| file | Used to specify a local file path from which to read adlist data |
| pause | Temporarily pause the use of all adlist. |
Configuration examples:
URL based adlist:
| Code Block | ||
|---|---|---|
| ||
/ip/dns/adlist add url=https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts ssl-verify=no |
To see how many domain names are present and matched, you can run:
| Code Block | ||
|---|---|---|
| ||
/ip/dns/adlist/print
Flags: X - disabled
0 url="https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" ssl-verify=no match-count=122 name-count=164769
|
Locally hosted adlist:
To create your adlist, you can create a Txt file with the domains. Example:
| No Format |
|---|
0.0.0.0 example1.com
0.0.0.0 eu1.example.com
0.0.0.0 ex.com
0.0.0.0 com.example.com |
| Info |
|---|
You can create the txt file on your PC, but it is also possible to create it in RouterOS, with following commands "/file/add name=host.txt", and then you can run "file/edit host.txt contents" after adding entries, press "ctrl o" to save the entries. |
To add file to adlist :
| Code Block | ||
|---|---|---|
| ||
/ip/dns/adlist/add file=host.txt match-count=0 name-count=4
|
| Info |
|---|
You can verify that file is formatted correctly with "/ip/dns/adlist/print" ,the results will show how many hostnames you have added, the hostname format must match the format given in previous example. |