Lillecarl · October 1, 2021 18:45
diff --git a/doh.rsc b/doh.rsc
 {
 /tool fetch url=https://curl.haxx.se/ca/cacert.pem
 /certificate import file-name=cacert.pem passphrase=””
 /ip firewall layer7-protocol
 add name=security.cloudflare-dns.com regexp=security.cloudflare-dns.com
 /ip dns
 set allow-remote-requests=yes cache-max-ttl=1h servers=1.1.1.2,1.0.0.2,2606:4700:4700::1112,2606:4700:4700::1002 use-doh-server=https://security.cloudflare-dns.com/dns-query verify-doh-cert=yes
 /ip firewall filter
 add action=drop chain=output comment="drop dns output if not looking for cloudflare DOH servers." dst-port=53 layer7-protocol=!security.cloudflare-dns.com out-interface-list=WAN protocol=tcp
 add action=drop chain=output comment="drop dns output if not looking for cloudflare DOH servers." dst-port=53 layer7-protocol=!security.cloudflare-dns.com out-interface-list=WAN protocol=udp
 }
	{
	/tool fetch url=https://curl.haxx.se/ca/cacert.pem
	/certificate import file-name=cacert.pem passphrase=””
	/ip firewall layer7-protocol
	add name=security.cloudflare-dns.com regexp=security.cloudflare-dns.com
	/ip dns
	set allow-remote-requests=yes cache-max-ttl=1h servers=1.1.1.2,1.0.0.2,2606:4700:4700::1112,2606:4700:4700::1002 use-doh-server=https://security.cloudflare-dns.com/dns-query verify-doh-cert=yes
	/ip firewall filter
	add action=drop chain=output comment="drop dns output if not looking for cloudflare DOH servers." dst-port=53 layer7-protocol=!security.cloudflare-dns.com out-interface-list=WAN protocol=tcp
	add action=drop chain=output comment="drop dns output if not looking for cloudflare DOH servers." dst-port=53 layer7-protocol=!security.cloudflare-dns.com out-interface-list=WAN protocol=udp
	}