Cant' renew license---could not resolve DNS name error

Hi Team

We are using a CHR Version Router OS, all works, the LAN, PPPoE, NAT, VPN and others service, Just the DNS is not working, so we assign the DHCP to use google DNS for clients, but for the router itself, can not renew the license, we are using P1. and the router can’t upgrade as well.
I add a static DNS record, mikrotik.com 159.148.147.196, the router can ping mikrotik.com, but can’t licensing.

/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out2 \
    password=password use-peer-dns=yes user=
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=VPN ranges=192.168.200.220-192.168.200.229
add name=LAN ranges=192.168.1.100-192.168.1.200
/ip dhcp-server
add address-pool=LAN disabled=no interface=ether2 name=dhcp1
/ppp profile
add local-address=10.10.17.1 name=VPN remote-address=VPN
/interface l2tp-server server
set default-profile=VPN enabled=yes ipsec-secret=joeiqojeoajdnijuiernsd823782@#$aiuwo use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=pppoe-out2 list=WAN
add interface=ether3 list=LAN
add list=LAN
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
add address=10.10.17.1/24 interface=ether2 network=10.10.17.0
add address=10.10.18.1/24 interface=ether2 network=10.10.18.0
add address=192.168.0.1/24 interface=ether2 network=192.168.0.0
/ip dhcp-client
add interface=ether1
add interface=ether3
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=159.148.147.196 name=mikrotik.com
/ip firewall filter
add action=passthrough chain=forward
add action=accept chain=forward dst-address=0.0.0.0 src-address=10.10.17.0/24
add action=accept chain=input comment="VPN L2TP AH" protocol=ipsec-ah
add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" protocol=\
    ipsec-esp
add action=accept chain=input comment="allow L2TP VPN (1701/udp)" dst-port=\
    1701 protocol=udp
add action=accept chain=input comment="allow L2TP VPN (4500/udp)" dst-port=\
    4500 protocol=udp
add action=accept chain=input comment="allow L2TP VPN (500/udp)" dst-port=500 \
    protocol=udp
add action=accept chain=input comment="allow HTTPS" dst-port=443 protocol=tcp
add action=accept chain=input comment="allow POP3" dst-port=110 protocol=tcp
add action=accept chain=input comment="allow IMAP" dst-port=143 protocol=tcp
add action=accept chain=input comment="allow LDAP" dst-port=389 protocol=tcp
add action=accept chain=input comment="allow FTP" dst-port=20 protocol=tcp
add action=accept chain=input comment="allow FTP" dst-port=21 protocol=tcp
add action=accept chain=input comment="allow Maria DB Replication" dst-port=\
    14444 protocol=tcp
add action=accept chain=input comment="allow HTTP" dst-port=80 protocol=tcp
add action=accept chain=input comment="allow HTTP for Asterisk" dst-port=18088 \
    protocol=tcp
add action=accept chain=input dst-port=26 protocol=tcp
add action=accept chain=input dst-port=10319 protocol=tcp
add action=accept chain=input dst-port=18139 protocol=tcp
add action=accept chain=input dst-port=18319 protocol=tcp
add action=accept chain=input comment="allow SMTP over SSL/TLS" dst-port=465 \
    protocol=tcp
add action=accept chain=input comment="allow SMTP" dst-port=587 protocol=tcp
add action=accept chain=input comment="allow IMAP over SSL/TLS" dst-port=993 \
    protocol=tcp
add action=accept chain=input comment="allow POP3 over SSL/TLS" dst-port=995 \
    protocol=tcp
add action=accept chain=input comment="allow POP3" dst-port=110 protocol=tcp
add action=accept chain=input dst-port=8083 protocol=tcp
add action=accept chain=forward comment="allow dns" dst-port=53 protocol=udp
add action=accept chain=forward comment="allow dns" dst-port=53 protocol=tcp
add action=accept chain=input dst-port=25 protocol=tcp
add action=accept chain=input comment="internal DNS" dst-port=53 protocol=udp
add action=accept chain=input comment="internal DNS" dst-port=53 protocol=tcp
add action=accept chain=input comment="allow HTTP" dst-port=81 protocol=tcp
add action=accept chain=input dst-port=3306 protocol=tcp
add action=accept chain=input dst-port=444 protocol=tcp
add action=accept chain=input dst-port=443 protocol=tcp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=forward comment=ANYDESK port=6568 protocol=tcp
add action=accept chain=input protocol=icmp
add action=drop chain=input connection-state=invalid tcp-flags=""
add action=drop chain=input comment="drop not coming from lan" \
    in-interface-list=WAN log=yes
add action=accept chain=input comment=3CX dst-port=5060 protocol=tcp
add action=accept chain=input comment=3CX dst-port=5060 protocol=udp
add action=accept chain=input comment=3CX dst-port=5090 protocol=tcp
add action=accept chain=input comment=3CX dst-port=5090 protocol=udp
add action=accept chain=input comment="3CX TLS" dst-port=5061 protocol=tcp
add action=accept chain=input comment="3CX TLS" dst-port=5061 protocol=udp
add action=drop chain=forward connection-state=invalid tcp-flags=""
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="3cx provisioning" dst-port=5001 \
    protocol=tcp
/ip firewall mangle
add action=passthrough chain=prerouting
add action=passthrough chain=forward
add action=passthrough chain=postrouting
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address="ip address" dst-port=110 \
    protocol=tcp to-addresses=192.168.0.5 to-ports=110
add action=dst-nat chain=dstnat dst-address="ip address" dst-port=143 \
    protocol=tcp to-addresses=192.168.0.5 to-ports=143
add action=dst-nat chain=dstnat dst-address="ip address" dst-port=389 \
    protocol=tcp to-addresses=192.168.0.5 to-ports=389
add action=dst-nat chain=dstnat dst-address="ip address" dst-port=20 protocol=\
    tcp to-addresses=192.168.0.5 to-ports=20
add action=dst-nat chain=dstnat dst-address="ip address" dst-port=21 protocol=\
    tcp to-addresses=192.168.0.5 to-ports=21
add action=dst-nat chain=dstnat disabled=yes dst-address="ip address" \
    dst-port=80 protocol=tcp to-addresses=192.168.0.5 to-ports=110
add action=dst-nat chain=dstnat dst-address="ip address" dst-port=25 protocol=\
    tcp to-addresses=10.10.17.9 to-ports=25
add action=dst-nat chain=dstnat dst-address="ip address" dst-port=9839 \
    protocol=tcp to-addresses=10.10.17.7 to-ports=2289
add action=dst-nat chain=dstnat dst-address="ip address" dst-port=8083 \
    protocol=tcp to-addresses=10.10.17.98 to-ports=8083
add action=dst-nat chain=dstnat dst-address="ip address" dst-port=110 \
    protocol=tcp to-addresses=10.10.17.12 to-ports=110
add action=dst-nat chain=dstnat dst-address="ip address" dst-port=995 \
    protocol=tcp to-addresses=10.10.17.12 to-ports=995
add action=dst-nat chain=dstnat dst-address="ip address" dst-port=993 \
    protocol=tcp to-addresses=10.10.17.12 to-ports=993
add action=dst-nat chain=dstnat dst-address="ip address" dst-port=587 \
    protocol=tcp to-addresses=10.10.17.12 to-ports=587
add action=dst-nat chain=dstnat dst-address="ip address" dst-port=465 \
    protocol=tcp to-addresses=10.10.17.12 to-ports=465
add action=dst-nat chain=dstnat dst-address="ip address" dst-port=443 \
    protocol=tcp to-addresses=10.10.17.91 to-ports=443
add action=dst-nat chain=dstnat dst-address="ip address" dst-port=3306 \
    protocol=tcp src-address=48.12.34.51 to-addresses=10.10.17.71 to-ports=\
    3306
add action=dst-nat chain=dstnat dst-address="ip address" dst-port=53 protocol=\
    udp to-addresses=10.10.17.91 to-ports=53
add action=dst-nat chain=dstnat dst-address="ip address" dst-port=3306 \
    protocol=tcp to-addresses=10.10.17.71 to-ports=3306
add action=dst-nat chain=dstnat dst-address="ip address" dst-port=81 protocol=\
    tcp to-addresses=10.10.17.91 to-ports=8087
add action=dst-nat chain=dstnat dst-address="ip address" dst-port=80 protocol=\
    tcp to-addresses=10.10.17.91 to-ports=80
add action=dst-nat chain=dstnat dst-address="ip address" dst-port=80 protocol=\
    tcp src-address=212.213.231.171 to-addresses=10.10.17.91 to-ports=80
add action=dst-nat chain=dstnat dst-address="ip address" dst-port=80 protocol=\
    tcp to-addresses=10.10.17.91 to-ports=4433
/ip firewall raw
add action=passthrough chain=prerouting
/ip route
add distance=1 dst-address=192.168.8.0/24 gateway=10.115.0.200
add distance=1 dst-address=192.168.8.0/24 gateway=10.115.0.200
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

Thank you in advance.

So your clients can use google DNS but your router can’t? that seems bit strange

Why is it strange when you look what he’s doing with the port 53 traffic? In fact the whole configuration is bizarre (to me).

And defining mikrotik.com is not a lot of use when (I think) it’s licence.mikrotik.com and upgrade.mikrotik.com that are needed.

Okay, he seem to be bit confused with rules (e.g. allowing forward/input for DNS from ALL interfaces - pretty sure it should be allowed only from internal / customer facing interface), but I don’t see any rule, which should prevent router itself to use DNS.
I still believe that his router shouldn’t have any issue reaching the DNS and it is one of first steps to sort out any other issues.

Obviously - he can firstly try to ping each DNS server, then he can test each server using

:put [:resolve somedomain server=a.b.c.d]

, but in the end, I just wanted to confirm my understanding, whether his clients (behind the router itself!) can reach DNS while router can’t.