# Summary: Forcing DNS-over-HTTPS (DoH) to Use IPv6 on MikroTik RouterOS v7.18
## Issue:
Despite configuring DoH with IPv6, the MikroTik router continued to prioritize IPv4 for DNS queries, resulting in errors when connecting to Cloudflare via IPv4.
## Solution:
To enforce IPv6 for DoH and bypass IPv4 limitations, follow these steps:
### Static DNS Entries for DoH Server:
Add a static DNS entry to resolve the DoH server domain (e.g., cloudflare-dns.com) exclusively to its IPv6 address:
```bash
/ip dns static add name=cloudflare-dns.com address=2606:4700:4700::1111
```
This ensures the router never queries external DNS for the DoH domain, forcing IPv6.
### Remove Traditional DNS Servers:
Clear all IPv4 DNS servers to prevent fallback:
```bash
/ip dns set servers="" allow-remote-requests=yes
```
### Block IPv4 for DoH via Firewall:
Temporarily drop IPv4 traffic to the DoH server’s IPv4 addresses (e.g., Cloudflare’s 1.1.1.1):
```bash
/ip firewall filter add chain=output protocol=tcp dst-address=1.1.1.1 dst-port=443 action=drop comment="Block DoH IPv4"
```
This closes active IPv4 connections and forces the router to use IPv6.
### Flush DNS Cache:
Clear cached entries to ensure fresh IPv6 resolutions:
```bash
/ip dns cache flush
```
### Adjust Route Priorities:
- Verifique no firewall IPv6 connection para certificar que as conexões IPv6 para o DNS estão acontecendo.
- Verifique no firewall IPv4 connection para certificar que as conexões IPv4 para o DNS não estão acontecendo.
RouterOS v7+ deprecated the `prefer-ipv6` setting. Route metrics and DNS configuration are now critical for prioritizing IPv6.
If issues persist, ensure your ISP provides stable IPv6 connectivity (e.g., via PPPoE).
This approach successfully bypassed unreliable IPv4 routes while enforcing IPv6 for secure DoH traffic.
## Issue:
Despite configuring DoH with IPv6, the MikroTik router continued to prioritize IPv4 for DNS queries, resulting in errors when connecting to Cloudflare via IPv4.
## Solution:
To enforce IPv6 for DoH and bypass IPv4 limitations, follow these steps:
### Static DNS Entries for DoH Server:
Add a static DNS entry to resolve the DoH server domain (e.g., cloudflare-dns.com) exclusively to its IPv6 address:
```bash
/ip dns static add name=cloudflare-dns.com address=2606:4700:4700::1111
```
This ensures the router never queries external DNS for the DoH domain, forcing IPv6.
### Remove Traditional DNS Servers:
Clear all IPv4 DNS servers to prevent fallback:
```bash
/ip dns set servers="" allow-remote-requests=yes
```
### Block IPv4 for DoH via Firewall:
Temporarily drop IPv4 traffic to the DoH server’s IPv4 addresses (e.g., Cloudflare’s 1.1.1.1):
```bash
/ip firewall filter add chain=output protocol=tcp dst-address=1.1.1.1 dst-port=443 action=drop comment="Block DoH IPv4"
```
This closes active IPv4 connections and forces the router to use IPv6.
### Flush DNS Cache:
Clear cached entries to ensure fresh IPv6 resolutions:
```bash
/ip dns cache flush
```
### Adjust Route Priorities:
- Verifique no firewall IPv6 connection para certificar que as conexões IPv6 para o DNS estão acontecendo.
- Verifique no firewall IPv4 connection para certificar que as conexões IPv4 para o DNS não estão acontecendo.
RouterOS v7+ deprecated the `prefer-ipv6` setting. Route metrics and DNS configuration are now critical for prioritizing IPv6.
If issues persist, ensure your ISP provides stable IPv6 connectivity (e.g., via PPPoE).
This approach successfully bypassed unreliable IPv4 routes while enforcing IPv6 for secure DoH traffic.
Statistics: Posted by csurata — Sun Mar 16, 2025 8:39 pm