好圖狼 wrote:--
早(恕刪)
憑證已釐清,絕大部分DoH的憑證都來自https://curl.se/docs/caextract.html
NextDNS可以放心用,也可以掛腳本不定期去執行憑證換新.
--
或者參考下列(以1111作為範例).
Encrypt your DNS requests with MikroTik
(1) Quick command line setup for Cloudflare:
# Temporarily add a normal upstream DNS resolver
1. /ip dns set servers=1.1.1.1,1.0.0.1
# CA certificates extracted from curl.se
2. /tool fetch https://curl.se/ca/cacert.pem
# Import CA to ca-store
3. /certificate import file-name=cacert.pem passphrase=""
# Set the DoH resolver to cloudflare
4. /ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes allow-remote-requests=yes
# Remove the old upstream DNS resolvers
5. /ip dns set servers=""
Reminder: Uncheck "user-peer-dns" from dhcp-client (WAN) or pppoe-out1 (WAN)
#########################################################################
(2) Redirect DNS queries to router:
/ip firewall nat add chain=dstnat protocol=tcp dst-port=53 action=redirect
/ip firewall nat add chain=dstnat protocol=udp dst-port=53 action=redirect
#########################################################################
(3) Script for updating certificates
System > Scripts
Name: Update-Cert
Policy: ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
Source:
/tool fetch https://curl.se/ca/cacert.pem
:delay 10s
/certificate import file-name=cacert.pem passphrase=""
#########################################################################
(4) Scheduler for run "Update-Cert" in every 1 week
Name: Update-Cert
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
Start Time: 00:00:00
Interval: 7d 00:00:00
On Event: /system script run Update-Cert
#########################################################################
--
我發現執行rsc可以,NextDNS的DoH卻卡在腳本執行.改天再研究.
--
谷歌DoH:
Quick command line setup for google:
# Temporarily add a normal upstream DNS resolver
1. /ip dns set servers=8.8.8.8,8.8.4.4
# CA certificates extracted from curl.se
2. /tool fetch https://curl.se/ca/cacert.pem
# Import CA to ca-store
3. /certificate import file-name=cacert.pem passphrase=""
# Set the DoH resolver to google
4. /ip dns set use-doh-server=https://8.8.8.8/dns-query verify-doh-cert=yes allow-remote-requests=yes
# Remove the old upstream DNS resolvers
5. /ip dns set servers=""
--
DoH通用的憑證:
/tool fetch url=https://curl.se/ca/cacert.pem
/certificate import file-name=cacert.pem
谷歌DoH只需要加上"https://8.8.8.8/dns-query"或https://8.8.4.4/dns-query"
/ip dns set use-doh-server=https://8.8.8.8/dns-query verify-doh-cert=yes allow-remote-requests=yes
/ip dns set use-doh-server=https://8.8.4.4/dns-query verify-doh-cert=yes allow-remote-requests=yes
CloudFlare則為"https://1.1.1.1/dns-query"或"https://1.0.0.1/dns-query"
/ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes allow-remote-requests=yes
/ip dns set use-doh-server=https://1.0.0.1/dns-query verify-doh-cert=yes allow-remote-requests=yes
Quad101則"https://101.101.101.101/dns-query"或"https://101.102.103.104/dns-query"
/ip dns set use-doh-server=https://101.101.101.101/dns-query verify-doh-cert=yes allow-remote-requests=yes
/ip dns set use-doh-server=https://101.102.103.104/dns-query verify-doh-cert=yes allow-remote-requests=yes
OpenDNS則
"https://208.67.222.222/dns-query"
"https://208.67.220.220/dns-query"
"https://208.67.222.123/dns-query"
以此類推.
至於/ip dns static 可能因為ROS新版而省略新增了.不知道,保險起見.
/ip dns static add address=8.8.8.8 name=dns.google
/ip dns static add address=8.8.4.4 name=dns.google
--
/ip dns static add address=1.1.1.1 name=dns.YAYA
/ip dns static add address=1.0.0.1 name=dns.YAYA
以此類推.
--
人品是做人最好的底牌.
內文搜尋
從 APP 打開
X