I have found this awesome guide on how to set up DoH:https://jcutrer.com/howto/networking/mi ... over-https

But, it is a bit out of date and the steps are manual in the GUI instead of automated with a script. Can someone help automate the remaining steps I need in the <> brackets?

/tool fetch url=https://curl.se/ca/cacert.pem
/certificate import file-name=cacert.pem passphrase=””



https://cloudflare-dns.com/dns-query>

i think you can just use this script
no static dns and no certificate validation needed

Yes, because 1.1.1.1 cert already contain also the IP 1.1.1.1 as alternate name
For examplehttps://one.one.one.one/dns-querydo not work without standard server because first must resolve one.one.one.one with the standard DNS.

@kangarie: "no certificate validation" = any MITM can present fake certificate and then see or even modify everything you're sending and receiving. If that's your goal, fine, enjoy. But otherwise it's better to have verification enabled.

no static dns and certificate validation needed

As in

(no static dns) and (certificate validation needed) -> You need certificate validation
or
(no static dns) and (no certificate validation needed) -> You dont need certificate validation

As other write. You should have normal DNS setup and working to make sure you use an URL without IP, so that you can use a Certificate with DoO

You can use the query url with ip address ("https://1.1.1.1/dns-query" ) and enable certificate verification. As the ip address is stored asalternative subject nameinside the certificated this works. No static dns required, but you need to import the correct CA certificate (which is "DigiCert Global Root CA" for Cloudflare).

This should do the job for perfectly secure dns via Cloudflare: