If you are using a Pihole, whether actually on a Raspberry Pi, or as a VM in say, DietPi, you like that it does not resolve ad-servers within your LAN.
However, many apps and devices do not use the offered DNS servers per DHCP, they are just that — an offer. Hardcoded DNS servers will still resolve and allow ads and tracking.
Mikrotik allows you to use NAT rules that will redirect all DNS requests, no matter where they go, to the Pihole. For example, if you query 184.108.40.206 (Google) or 220.127.116.11 (CloudFlare), or some shady ad-allowing DNS server online, it will be redirected to the Pihole. This is also useful for business networks where you don’t want guests using their own DNS servers to bypass your content blocking.
From there, the response has to be masqueraded as though it came from the original server. Without these Masquerade rules, many apps and devices will refuse to function without checking in with their expected ad-servers.
#Edit IPs and Networks to match your setup. 10.10.10.3 is the Pihole in this example. 10.10.10.0/24 is the LAN network. bridge is the Inbound Interface of your LAN. If you do not specify an inbound interface, traffic from your WAN will be directed to your internal DNS server -- making you a DNS abuse target. The "!" symbol, means "NOT", in other words -- any address except this specified IP. # #If any DNS request is sent through the router, from the LAN (bridge) and it is not already going to 10.10.10.3, redirect it to 10.10.10.3 /ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.10.10.3 protocol=udp src-address=!10.10.10.3 dst-address=!10.10.10.3 dst-port=53 in-interface=bridge # #Masquerade rules for both types of traffic to hide the source. /ip firewall nat add chain=srcnat action=masquerade protocol=udp src-address=10.10.10.0/24 dst-address=10.10.10.3 dst-port=53