GUIDE / LOCAL NETWORK / DNS
DNS.
RouterOS has a built-in DNS cache + recursive resolver. Pointed at by the DHCP server, it answers LAN queries directly when cached and forwards to upstream resolvers otherwise. This page covers the standard setup, static entries, and the v7-only DNS-over-HTTPS feature for upstream privacy.
Basic setup
Two settings turn the router into a LAN-wide resolver:
/ip dns set servers=1.1.1.1,9.9.9.9 allow-remote-requests=yes /ip/dns set servers=1.1.1.1,9.9.9.9 allow-remote-requests=yes servers= is the upstream list — the router forwards
cache-misses to these. Cloudflare (1.1.1.1) and Quad9 (9.9.9.9) are
sensible defaults; pick what you trust.
allow-remote-requests=yes lets LAN clients query the
router on UDP/TCP 53. Without it, only the router itself can use
DNS.
Firewall — do NOT expose DNS to WAN
allow-remote-requests=yes opens DNS to anyone who can
reach the router on port 53. Lock it to LAN-side only or you become
an open resolver — used in reflection-amplification DDoS attacks
targeting third parties:
# Block UDP/TCP 53 from WAN — placed ABOVE any general accept rules
/ip firewall filter add chain=input action=drop protocol=udp dst-port=53 in-interface-list=WAN comment="DNS — block WAN"
/ip firewall filter add chain=input action=drop protocol=tcp dst-port=53 in-interface-list=WAN comment="DNS — block WAN" /ip/firewall/filter add chain=input action=drop protocol=udp dst-port=53 in-interface-list=WAN comment="DNS — block WAN"
/ip/firewall/filter add chain=input action=drop protocol=tcp dst-port=53 in-interface-list=WAN comment="DNS — block WAN"
Better: only ALLOW DNS from LAN (interface-list) and
let the default-drop catch everything else. See
input chain.
Static entries
Give a LAN host a memorable name. Useful for "my NAS is
nas.home" without running a separate authoritative
DNS server.
/ip dns static add name=nas.home address=192.168.88.50
/ip dns static add name=router.home address=192.168.88.1 /ip/dns/static add name=nas.home address=192.168.88.50
/ip/dns/static add name=router.home address=192.168.88.1
Static entries get a wildcard form too — name="*.home"
catches every .home query. Use sparingly; a typo in a
LAN hostname starts resolving to the wrong machine without warning.
Cache
/ip dns cache print
/ip dns cache print where name~"example.com"
# Flush:
/ip dns cache flush /ip/dns/cache print
/ip/dns/cache print where name~"example.com"
/ip/dns/cache/flush
Default cache size is 2048 KiB which holds a few thousand entries.
Plenty for a home LAN; bump (cache-size=8192) if you
have a busy office. Cache TTL respects the upstream record's TTL —
you can't override it from the router.
DNS-over-HTTPS (DoH) is v7 only
DNS-over-HTTPS (v7)
The router resolves names recursively to a DoH endpoint over HTTPS, so an ISP-side observer sees only an HTTPS connection to (e.g.) Cloudflare, not the plaintext DNS queries. LAN-to-router queries stay plaintext (that's a separate problem the router can't fix transparently — the client OS has to support DoH).
# Cloudflare's DoH endpoint
/ip/dns set use-doh-server="https://cloudflare-dns.com/dns-query" verify-doh-cert=yes verify-doh-cert=yes requires the certificate to chain
to a CA in the router's trust store. Make sure your router has a
real time source (NTP) before enabling — cert validation against
a router whose clock is years off will fail.
Alternative endpoints:
https://dns.quad9.net/dns-query— Quad9https://dns.google/dns-query— Googlehttps://doh.opendns.com/dns-query— OpenDNS
Pick one. The router uses DoH for upstream resolution AND keeps
falling back to servers= (plaintext UDP) if DoH fails
— set servers= to empty if you want strict DoH-only.
Ad-blocking via DNS
Many setups want "no ads on the LAN" handled at the router. RouterOS doesn't ship an Pi-hole-style DNS blocklist out of the box. Two workable paths:
- Static-entry blocklist — fetch a hosts-style blocklist and import each domain as a static entry pointing at 0.0.0.0. Works fine for a few thousand entries; a 100k-entry list bloats the config.
- External Pi-hole — run Pi-hole on a small VM /
Pi on the LAN, point
/ip dns set servers=at it, and let the router forward all queries through it. Cleaner; the blocklist updates outside RouterOS.