GUIDE / LOCAL NETWORK / DNS

DNS.

RouterOS has a built-in DNS cache + recursive resolver. Pointed at by the DHCP server, it answers LAN queries directly when cached and forwards to upstream resolvers otherwise. This page covers the standard setup, static entries, and the v7-only DNS-over-HTTPS feature for upstream privacy.

Basic setup

Two settings turn the router into a LAN-wide resolver:

v6 1 lines · 61 bytes
/ip dns set servers=1.1.1.1,9.9.9.9 allow-remote-requests=yes
v7 1 lines · 61 bytes
/ip/dns set servers=1.1.1.1,9.9.9.9 allow-remote-requests=yes

servers= is the upstream list — the router forwards cache-misses to these. Cloudflare (1.1.1.1) and Quad9 (9.9.9.9) are sensible defaults; pick what you trust. allow-remote-requests=yes lets LAN clients query the router on UDP/TCP 53. Without it, only the router itself can use DNS.

Firewall — do NOT expose DNS to WAN

allow-remote-requests=yes opens DNS to anyone who can reach the router on port 53. Lock it to LAN-side only or you become an open resolver — used in reflection-amplification DDoS attacks targeting third parties:

v6 3 lines · 315 bytes
# Block UDP/TCP 53 from WAN — placed ABOVE any general accept rules
/ip firewall filter add chain=input action=drop protocol=udp dst-port=53 in-interface-list=WAN comment="DNS — block WAN"
/ip firewall filter add chain=input action=drop protocol=tcp dst-port=53 in-interface-list=WAN comment="DNS — block WAN"
v7 2 lines · 245 bytes
/ip/firewall/filter add chain=input action=drop protocol=udp dst-port=53 in-interface-list=WAN comment="DNS — block WAN"
/ip/firewall/filter add chain=input action=drop protocol=tcp dst-port=53 in-interface-list=WAN comment="DNS — block WAN"

Better: only ALLOW DNS from LAN (interface-list) and let the default-drop catch everything else. See input chain.

Static entries

Give a LAN host a memorable name. Useful for "my NAS is nas.home" without running a separate authoritative DNS server.

v6 2 lines · 111 bytes
/ip dns static add name=nas.home address=192.168.88.50
/ip dns static add name=router.home address=192.168.88.1
v7 2 lines · 111 bytes
/ip/dns/static add name=nas.home address=192.168.88.50
/ip/dns/static add name=router.home address=192.168.88.1

Static entries get a wildcard form too — name="*.home" catches every .home query. Use sparingly; a typo in a LAN hostname starts resolving to the wrong machine without warning.

Cache

v6 4 lines · 93 bytes
/ip dns cache print
/ip dns cache print where name~"example.com"
# Flush:
/ip dns cache flush
v7 3 lines · 84 bytes
/ip/dns/cache print
/ip/dns/cache print where name~"example.com"
/ip/dns/cache/flush

Default cache size is 2048 KiB which holds a few thousand entries. Plenty for a home LAN; bump (cache-size=8192) if you have a busy office. Cache TTL respects the upstream record's TTL — you can't override it from the router.

DNS-over-HTTPS (DoH) is v7 only

RouterOS v6
RouterOS v7

DNS-over-HTTPS (v7)

The router resolves names recursively to a DoH endpoint over HTTPS, so an ISP-side observer sees only an HTTPS connection to (e.g.) Cloudflare, not the plaintext DNS queries. LAN-to-router queries stay plaintext (that's a separate problem the router can't fix transparently — the client OS has to support DoH).

v7 2 lines · 113 bytes
# Cloudflare's DoH endpoint
/ip/dns set use-doh-server="https://cloudflare-dns.com/dns-query" verify-doh-cert=yes

verify-doh-cert=yes requires the certificate to chain to a CA in the router's trust store. Make sure your router has a real time source (NTP) before enabling — cert validation against a router whose clock is years off will fail.

Alternative endpoints:

  • https://dns.quad9.net/dns-query — Quad9
  • https://dns.google/dns-query — Google
  • https://doh.opendns.com/dns-query — OpenDNS

Pick one. The router uses DoH for upstream resolution AND keeps falling back to servers= (plaintext UDP) if DoH fails — set servers= to empty if you want strict DoH-only.

Ad-blocking via DNS

Many setups want "no ads on the LAN" handled at the router. RouterOS doesn't ship an Pi-hole-style DNS blocklist out of the box. Two workable paths:

  • Static-entry blocklist — fetch a hosts-style blocklist and import each domain as a static entry pointing at 0.0.0.0. Works fine for a few thousand entries; a 100k-entry list bloats the config.
  • External Pi-hole — run Pi-hole on a small VM / Pi on the LAN, point /ip dns set servers= at it, and let the router forward all queries through it. Cleaner; the blocklist updates outside RouterOS.