Setup Cloudflare DNS-over-HTTPS (DoH) cache on MikroTik RouterOS router

  • September 9, 2021
  • earegun
  • 2 min read

Cloudflare DNS is an enterprise-grade authoritative DNS service that offers the fastest response time, unparalleled redundancy, and advanced security with built-in DDoS mitigation and DNSSEC. On the other side, MikroTik makes networking hardware and software, which is used in nearly all countries of the world.

Compared to standard UDP DNS, DNS-over-HTTPS (DoH) provides the huge advantage that – due to it being encrypted, someone able to sniff the traffic will not be able to determine what domain names are being used.

However, consider the disadvantage that the latency of resolving a domain name is significantly larger with DoH – however, setting up the MikroTik router as a DNS cache will significantly reduce the overall DNS latency, at least for cached domain names.

The following list of RouterOS commands will setup the internal DNS server as a DNS cache running on DNS-over-HTTPS.

First, download CA certificates onto the router in order to be able to verify CloudFlare’s HTTPS certificates:

Set up Cloudflare DNS and download the HTTPS Certificate

/tool fetch url=

Wait for it to finish downloading, e.g.

[admin@MikroTik] > /tool fetch url=
      status: finished
  downloaded: 210KiBz pause]
       total: 210KiB
    duration: 1s

Now import the file and setup the DNS server:

/certificate import file-name=cacert.pem passphrase=""

/ip dns set allow-remote-requests=yes cache-size=8192KiB max-concurrent-queries=1000 max-concurrent-tcp-sessions=2000 servers= use-doh-server= verify-doh-cert=yes

Now Enjoy the Fastest DNS service by Cloudflare 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *