Skip to content

Instantly share code, notes, and snippets.

@kangarie

kangarie/mikrotik_container_adguardhome.txt

Last active June 2, 2026 18:09
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save kangarie/72d8d606d2084eb7d5ce8e2109b0adc3 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save kangarie/72d8d606d2084eb7d5ce8e2109b0adc3 to your computer and use it in GitHub Desktop.
Download ZIP
mikrotik container adguard home script installation
Raw
mikrotik_container_adguardhome.txt
/system/device-mode/update container=yes
/interface veth add address=172.17.0.1/24 gateway=172.17.0.254 name=agh
/interface bridge add name=dockers
/interface bridge port add bridge=dockers interface=agh
/ip address add address=172.17.0.254/24 interface=dockers network=172.17.0.0
/ip firewall nat add action=masquerade chain=srcnat
/container config set registry-url=https://registry-1.docker.io tmpdir=/disk1/tmp
/container mounts add dst=/opt/adguardhome/conf name=agh_conf src=/disk1/conf/agh
/container add remote-image=adguard/adguardhome:latest interface=agh logging=yes mounts=agh_conf start-on-boot=yes workdir=/opt/adguardhome/work root-dir="/disk1/agh" cmd="-c /opt/adguardhome/conf/AdGuardHome.yaml -h 0.0.0.0 -w /opt/adguardhome/work" dns=8.8.8.8 entrypoint=/opt/adguardhome/AdGuardHome
/container start number=0
@MeJIuFaRo

MeJIuFaRo commented Mar 28, 2023
edited
Loading

Copy link
Copy Markdown

hello!
I have "exec format error" in logs... ros 7.8

/container
add cmd="--no-check-update -c /opt/adguardhome/conf/AdGuardHome.yaml -h 0.0.0.0 -w /opt/adguardhome/work" entrypoint=/opt/adguardhome/AdGuardHome interface=veth1 logging=yes root-dir=/usb1/adguard start-on-boot=yes workdir=\
    /opt/adguardhome/work

@llity

llity commented Mar 12, 2024

Copy link
Copy Markdown

hello! I have "exec format error" in logs... ros 7.8

/container
add cmd="--no-check-update -c /opt/adguardhome/conf/AdGuardHome.yaml -h 0.0.0.0 -w /opt/adguardhome/work" entrypoint=/opt/adguardhome/AdGuardHome interface=veth1 logging=yes root-dir=/usb1/adguard start-on-boot=yes workdir=\
    /opt/adguardhome/work

Does it work properly?

@calum-mcfarlane

calum-mcfarlane commented Jul 28, 2025
edited
Loading

Copy link
Copy Markdown

hello! I have "exec format error" in logs... ros 7.8

/container
add cmd="--no-check-update -c /opt/adguardhome/conf/AdGuardHome.yaml -h 0.0.0.0 -w /opt/adguardhome/work" entrypoint=/opt/adguardhome/AdGuardHome interface=veth1 logging=yes root-dir=/usb1/adguard start-on-boot=yes workdir=\
    /opt/adguardhome/work

Does it work properly?

You only need this part I think

-c /opt/adguardhome/conf/AdGuardHome.yaml -h 0.0.0.0 -w /opt/adguardhome/work

The dns and entrypoint information goes in separate fields, if you are using Winbox

@DevStdio

DevStdio commented Jun 2, 2026
edited
Loading

Copy link
Copy Markdown

Mikrotik Adguard

Blocklist for known DoH/Dot/QUIC Servers

Mikrotik list

can be filtered/modified to AdGuard blocklist.)

  • DNS servers blocklist to enable personal blocking of public servers
  • Direct queries to your own DNS resolvers that upstream to root DNS servers.
  • Allow overrides in 'DNS allowlists'(even if they appear in this blocklist

Tip

  • Copy contents and save with .rsc (mikrotik script ext)
  • Upload to Mikrotik device
    /import path/to/upload/<filename.rsc>
  • Enjoy deeper level of DNS privacy
############################################
# DoH / DoT / Encrypted DNS blocklist
# Generated from dohdot.txt
# Safe to re-run: clears and rebuilds KNOWN_DOH_DOT lists and block rules.
############################################

/ip firewall address-list
remove [find list=KNOWN_DOH_DOT]

add list=KNOWN_DOH_DOT address=1.0.0.1 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=1.0.0.2 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=1.0.0.3 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=1.1.1.1 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=1.1.1.2 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=1.1.1.3 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=1.12.12.12 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=5.1.66.255 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=5.2.75.75 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=8.8.4.4 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=8.8.8.8 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=8.20.247.20 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=8.26.56.26 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=9.9.9.9 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=9.9.9.10 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=9.9.9.11 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=9.9.9.12 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=9.9.9.13 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=13.89.120.251 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=13.248.169.48 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=17.248.151.226 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=17.248.151.227 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=17.248.151.228 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=17.248.151.229 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=17.248.151.230 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=17.248.151.231 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=17.253.18.119 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=17.253.18.147 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=17.253.18.149 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=17.253.18.151 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=24.240.146.7 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=24.240.146.8 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=40.76.112.230 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=43.169.13.124 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=43.169.14.124 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=45.11.45.11 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=45.67.219.208 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=45.76.113.31 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=45.86.125.59 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=45.90.28.0 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=45.90.30.0 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=45.134.88.121 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=46.226.108.173 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=46.226.109.82 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=46.227.200.52 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=46.227.200.54 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=46.227.200.55 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=46.227.203.52 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=46.227.207.52 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=46.231.240.107 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=46.250.226.242 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=49.12.67.122 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=64.78.200.1 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=64.78.201.1 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=67.207.70.129 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=68.105.28.11 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=68.105.28.12 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=74.82.42.42 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=76.76.2.11 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=76.223.54.146 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=78.46.244.143 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=78.47.163.141 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=78.47.212.211 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=79.110.170.43 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=80.156.145.201 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=81.187.221.24 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=82.67.92.63 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=83.108.188.31 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=83.220.169.155 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=89.233.43.71 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=91.99.154.175 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=91.190.185.43 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=91.239.96.35 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=91.239.100.100 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=94.130.33.164 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=94.140.14.14 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=94.140.14.15 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=94.140.14.140 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=94.140.14.141 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=94.140.15.15 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=94.140.15.16 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=95.215.19.53 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=95.217.25.217 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=96.106.7.232 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=96.106.7.234 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=96.113.151.145 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=101.101.101.101 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=101.198.192.33 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=101.198.193.29 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=102.130.49.135 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=103.2.57.5 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=103.2.57.6 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=103.196.38.200 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=104.16.248.249 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=104.16.249.249 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=104.21.33.14 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=104.21.46.152 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=104.21.49.234 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=104.21.65.52 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=104.21.91.14 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=104.26.12.240 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=104.26.13.240 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=104.26.14.30 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=104.26.15.30 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=104.128.62.173 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=109.230.224.150 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=111.20.254.35 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=116.202.176.26 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=116.203.32.217 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=120.53.53.53 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=130.59.31.248 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=130.59.31.251 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=130.225.244.166 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=130.226.161.34 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=133.167.212.25 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=137.66.7.89 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=139.59.48.222 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=139.84.240.204 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=144.22.247.219 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=146.112.41.2 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=146.112.41.3 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=146.112.41.4 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=146.255.56.98 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=149.112.112.9 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=149.112.112.10 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=149.112.112.11 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=149.112.112.12 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=149.112.112.13 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=149.112.112.112 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=149.112.121.10 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=149.112.121.20 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=149.112.121.30 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=149.112.122.10 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=149.112.122.20 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=149.112.122.30 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=149.248.217.117 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=154.66.196.178 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=157.90.124.62 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=159.69.114.157 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=159.69.154.207 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=162.159.61.3 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=162.159.61.4 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=162.159.61.8 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=167.235.236.107 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=172.64.41.3 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=172.64.41.4 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=172.64.41.8 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=172.65.135.187 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=172.67.69.133 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=172.67.70.254 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=172.67.139.164 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=172.67.140.94 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=172.67.140.171 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=172.67.164.149 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=172.67.195.148 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=172.104.93.80 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=172.104.206.174 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=172.233.212.90 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=172.233.212.129 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=172.233.212.151 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=172.233.212.224 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=172.234.24.211 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=172.234.27.233 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=172.234.31.13 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=172.237.146.49 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=172.239.49.232 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=172.239.57.117 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=172.239.193.67 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=174.68.248.77 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=174.138.29.175 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=175.24.154.66 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=185.38.27.139 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=185.43.135.1 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=185.49.141.38 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=185.95.218.42 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=185.95.218.43 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=185.111.111.155 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=185.111.188.46 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=185.134.196.52 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=185.134.196.54 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=185.134.196.55 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=185.222.222.222 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=185.228.168.9 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=185.228.168.10 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=185.228.168.168 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=188.245.45.16 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=193.17.47.1 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=193.70.85.11 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=194.242.2.2 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=194.242.2.3 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=195.133.25.16 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=198.180.150.12 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=199.58.83.33 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=200.1.123.46 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=208.67.220.123 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=208.67.220.220 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=208.67.222.123 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=208.67.222.222 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=212.60.61.246 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=212.60.63.246 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=212.109.195.93 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=213.196.191.96 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=217.169.20.22 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=217.169.20.23 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=223.5.5.5 comment="DoH/DoT endpoint"
add list=KNOWN_DOH_DOT address=223.6.6.6 comment="DoH/DoT endpoint"

/ipv6 firewall address-list
remove [find list=KNOWN_DOH_DOT_V6]

add list=KNOWN_DOH_DOT_V6 address=2001:558:fe21:6b:96:113:151:145 comment="DoH/DoT endpoint IPv6"
add list=KNOWN_DOH_DOT_V6 address=2001:878:0:e000:82:e1:f4:a6 comment="DoH/DoT endpoint IPv6"
add list=KNOWN_DOH_DOT_V6 address=2001:878:0:e000:82:e2:a1:22 comment="DoH/DoT endpoint IPv6"
add list=KNOWN_DOH_DOT_V6 address=2001:1398:1:0:200:1:123:46 comment="DoH/DoT endpoint IPv6"
add list=KNOWN_DOH_DOT_V6 address=2001:4b98:dc2:41:216:3eff:fe16:1080 comment="DoH/DoT endpoint IPv6"
add list=KNOWN_DOH_DOT_V6 address=2001:4b98:dc2:41:216:3eff:fe25:d0f0 comment="DoH/DoT endpoint IPv6"
add list=KNOWN_DOH_DOT_V6 address=2001:4b98:dc2:41:216:3eff:fece:3e55 comment="DoH/DoT endpoint IPv6"
add list=KNOWN_DOH_DOT_V6 address=2003:4:e0b0:102:0:4:0:53 comment="DoH/DoT endpoint IPv6"
add list=KNOWN_DOH_DOT_V6 address=2403:3a00:107:29:133:167:212:25 comment="DoH/DoT endpoint IPv6"
add list=KNOWN_DOH_DOT_V6 address=2603:c021:c001:31fa:780:b000:0:415 comment="DoH/DoT endpoint IPv6"
add list=KNOWN_DOH_DOT_V6 address=2606:4700:80:0:71c6:a964:c160:1480 comment="DoH/DoT endpoint IPv6"
add list=KNOWN_DOH_DOT_V6 address=2a01:7c8:d002:1ef:5054:ff:fe40:3703 comment="DoH/DoT endpoint IPv6"
add list=KNOWN_DOH_DOT_V6 address=2a05:f480:3000:2e00:5400:5ff:fe39:905a comment="DoH/DoT endpoint IPv6"
add list=KNOWN_DOH_DOT_V6 address=2a0b:4342:1a91:e:216:3cff:fe9b:4913 comment="DoH/DoT endpoint IPv6"

############################################
# IPv4 block rules
# Requires src address-list DNS_CLIENTS.
# Put before general internet allow rules.
############################################

/ip firewall filter
remove [find comment="BLOCK DoH HTTPS to known endpoints"]
remove [find comment="BLOCK DoT TCP853 to known endpoints"]
remove [find comment="BLOCK all DoT TCP853 from DNS clients"]
remove [find comment="BLOCK QUIC UDP443 from DNS clients"]

add chain=forward action=drop src-address-list=DNS_CLIENTS dst-address-list=KNOWN_DOH_DOT protocol=tcp dst-port=443 out-interface-list=WAN comment="BLOCK DoH HTTPS to known endpoints"
add chain=forward action=drop src-address-list=DNS_CLIENTS dst-address-list=KNOWN_DOH_DOT protocol=tcp dst-port=853 out-interface-list=WAN comment="BLOCK DoT TCP853 to known endpoints"
add chain=forward action=drop src-address-list=DNS_CLIENTS protocol=tcp dst-port=853 out-interface-list=WAN comment="BLOCK all DoT TCP853 from DNS clients"
add chain=forward action=reject src-address-list=DNS_CLIENTS protocol=udp dst-port=443 out-interface-list=WAN reject-with=icmp-port-unreachable comment="BLOCK QUIC UDP443 from DNS clients"

############################################
# IPv6 block rules
# Your current config disables IPv6. Keep these for later if IPv6 is enabled.
############################################

/ipv6 firewall filter
remove [find comment="BLOCK IPv6 DoH HTTPS to known endpoints"]
remove [find comment="BLOCK IPv6 DoT TCP853 to known endpoints"]
remove [find comment="BLOCK IPv6 all DoT TCP853"]
remove [find comment="BLOCK IPv6 QUIC UDP443"]

add chain=forward action=drop dst-address-list=KNOWN_DOH_DOT_V6 protocol=tcp dst-port=443 comment="BLOCK IPv6 DoH HTTPS to known endpoints"
add chain=forward action=drop dst-address-list=KNOWN_DOH_DOT_V6 protocol=tcp dst-port=853 comment="BLOCK IPv6 DoT TCP853 to known endpoints"
add chain=forward action=drop protocol=tcp dst-port=853 comment="BLOCK IPv6 all DoT TCP853"
add chain=forward action=reject protocol=udp dst-port=443 reject-with=icmp-port-unreachable comment="BLOCK IPv6 QUIC UDP443"			

############################################
# Verification commands
############################################	
# /ip firewall address-list print count-only where list=KNOWN_DOH_DOT
# /ipv6 firewall address-list print count-only where list=KNOWN_DOH_DOT_V6
# /ip firewall filter print stats where comment~"DoH|DoT|QUIC"

// thats all folks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment