Setup Cloudflare as a DoH (DNS over HTTPS) resolver on Mikrotik devices (RouterOS v7.0.2+)

doh

# Temporarily add a normal upstream DNS resolver
/ip dns set servers=1.1.1.1,1.0.0.1

# CA certificates extracted from Mozilla
/tool fetch url=https://curl.se/ca/cacert.pem

# Import the downloaded ca-store (127 certificates)
/certificate import file-name=cacert.pem passphrase=""

# Set the DoH resolver to cloudflare
/ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes

# Remove the old upstream DNS resolvers
/ip dns set servers=""

# Delete the certificate file
/file remove cacert.pem

# OPTIONAL - Disable DDNS
/ip dhcp-client set use-peer-dns=no  # Enter 0 as a number if it asks you
# If you are connection over LTE (for exmaple with a chateau)
/interface lte apn set use-peer-dns=no  # Enter 0 as a number if it asks you
# Verify, that DynDNS is disabled
/ip dns print

Thanks, any idea how frequently the certs must be reinstalled?

@PablexXXXX The CA cert is most likely never going to change as it is the trust anchor for verifying other certificates. Therefore, the CA certificate is expected to remain the same for a long time. Many embedded devices can't even be easily updated. So I wouldn't worry