If you are using a Pihole, whether actually on a Raspberry Pi, or as a VM in say, DietPi, you like that it does not resolve ad-servers within your LAN.
However, many apps and devices do not use the offered DNS servers per DHCP, they are just that — an offer. Hardcoded DNS servers will still resolve and allow ads and tracking.
Mikrotik allows you to use NAT rules that will redirect all DNS requests, no matter where they go, to the Pihole. For example, if you query 18.104.22.168 (Google) or 22.214.171.124 (CloudFlare), or some shady ad-allowing DNS server online, it will be redirected to the Pihole. This is also useful for business networks where you don’t want guests using their own DNS servers to bypass your content blocking.
From there, the response has to be masqueraded as though it came from the original server. Without these Masquerade rules, many apps and devices will refuse to function without checking in with their expected ad-servers.
#Edit IPs and Networks to match your setup. 10.10.10.3 is the Pihole in this example. 10.10.10.0/24 is the LAN network. # #Rule for UDP 53 -- Actual DNS #If any DNS request is sent through the router, and it is not already going to 10.10.10.3, redirect it to 10.10.10.3 /ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.10.10.3 protocol=udp src-address=!10.10.10.3 dst-address=!10.10.10.3 dst-port=53 # #Rule for TCP53 -- DNS does not normally run on this port, but some programs bypass and use TCP. /ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.10.10.3 protocol=tcp src-address=!10.10.10.3 dst-address=!10.10.10.3 dst-port=53 # #Masquerade rules for both types of traffic to hide the source. /ip firewall nat add chain=srcnat action=masquerade protocol=udp src-address=10.10.10.0/24 dst-address=10.10.10.3 dst-port=53 /ip firewall nat add chain=srcnat action=masquerade protocol=tcp src-address=10.10.10.0/24 dst-address=10.10.10.3 dst-port=53