WIP: MikroTik AdGuard with DoT/DoH architecture

docs/wip/MIKROTIK-ADGUARD-DOT-DOH.md

@@ -0,0 +1,64 @@
+# WIP: MikroTik AdGuard Home with DoT/DoH
+
+**Status:** In Progress  
+**Started:** 2026-01-25  
+
+---
+
+## Objective
+
+Single DNS endpoint with failover:
+- External: dns.xtrm-lab.org (DoT 853, DoH 443)
+- Internal: 192.168.31.1 (all LAN clients)
+- Failover: Unraid AdGuard (192.168.31.4) as upstream backup
+
+## Architecture
+
+```
+External ──► dns.xtrm-lab.org ──► NAT ──┐
+            (DoT 853, DoH 443)          │
+                                        ▼
+Internal ──► 192.168.31.1:53 ────► MikroTik AdGuard
+            (LAN clients)          (container)
+                                        │
+                                        ▼
+                                  Upstreams:
+                                  - 192.168.31.4 (Unraid AdGuard)
+                                  - 8.8.8.8 (Google)
+                                  - 1.1.1.1 (Cloudflare)
+```
+
+## Implementation Steps
+
+- [ ] 1. Install AdGuard container on MikroTik
+- [ ] 2. Configure veth interface with IP
+- [ ] 3. Configure AdGuard upstreams
+- [ ] 4. Enable DoT/DoH in AdGuard
+- [ ] 5. Generate/configure TLS certificates
+- [ ] 6. Update NAT rules (DoT/DoH → container)
+- [ ] 7. Update DNS redirect rules (LAN → container)
+- [ ] 8. Test internal DNS
+- [ ] 9. Test external DoT/DoH
+- [ ] 10. Update documentation
+
+## Container Configuration
+
+- **Image:** adguard/adguardhome:latest
+- **Root dir:** /usb1/adguard
+- **Interface:** veth-adguard
+- **Mounts:** Config persistence
+
+## Network Configuration
+
+| Service | Port | Target |
+|---------|------|--------|
+| DNS | 53 | Container |
+| DoT | 853 | Container |
+| DoH | 443 | Container |
+| Web UI | 3000 | Container |
+
+## Notes
+
+- Using script from: https://github.com/maximpri/mikrotik-adguardhome
+- Previous MikroTik containers removed (storage issues)
+- Unraid AdGuard (192.168.31.4) remains as backup upstream