Encrypting DNS traffic via HTTPS

The implementation of the DoH protocol secures DNS traffic and prevents the fabrication and alteration of DNS traffic. With DoH making use of HTTPS requests to encapsulate the DNS traffic, the traffic is concealed alongside the normal day to day HTTPS traffic. The protocol makes use of port 443 for traffic transmission.

I implemented this protocol on a MikroTik hap lite router that has built in functionality to allow for its use. As for the DoH server I made use of the consumer side of OpenDNS with this url: https://doh.familyshield.opendns.com/dns-query

DoH on a MikroTik router.

1) Get DoH Server Certificate

Open a web browser and enter the hostname of the DoH server that you are planning on using. (I am using Firefox)

1.1) Click on the Lock icon & expand Connection is secure.

1.2) Click on More information

1.3) Click on View Certificate

1.4) Scroll down to Miscellaneous & click on PEM (cert) to download the certificate and the PEM Chain certificate.

2) Copy Certificates to router.

copy PEM (cert)

copy PEM (chain)

scp .\path-to\file username@ip:filename

3) Import the certificates.

ssh into the router and execute the following command to import the certificates that were previously uploaded.

Configure:

import PEM (cert)

import PEM (chain)

Output:

when a certificate is imported successfully you should get this message.

4) Add static entries for DoH IPs.

4) Add static entries for DoH IPs.

Adding static IP entries for the DoH server since all regular DNS server functionality will be disabled by the end of this and the router will still need to know how to reach the DoH server.

Find IP addresses via MikroTik terminal:

Find IP addresses via Microsoft PowerShell:

Configure:

Verify:

5) Change DoH DNS settings

Change the DNS settings so that DNS over https (DoH) can take place.

Configure:

Verify:

6) Remove normal DNS server entries on the router.

It is of vital importance to remove any DNS server entries, if you were to have any entries you should have output similar to this.

Configure:

Verify:

7) Disable usage of DHCP-Client peer DNS.

Configure and verify for IPv4:

Configure and verify for IPv6:

*I am not making use of IPv6 in any way, thus my output shows “no such item”. Your mileage may vary, as of current (2023-10) the implementation of IPv6 has not taken place in my area.

8) Disable usage of PPOE-client peer DNS

If you are making use of PPOE for your internet you should disable the usage of the provided dynamic DNS. To find the name of the PPOE interface execute the following:

Configure:

You could make use of the name to accomplish the same thing.

Verify:

9) Add Firewall rules

10) Reboot router

If you have followed this post correctly you should now be making use of DOH.

It’s always DNS.

I was trying to fix a problem with my DNS. But I couldn’t come to a resolution. 🙂