OK, long story short:
AFAIK In RouterOS v6 DNS was updated to support large UDP packet sizes and also TCP support was added - all of these are necessary features.
But as side result RouterOS devices with DNS “allow remote request enabled” , IF UNPROTECTED, now can be subjected to OpenResolver or DNS Amplification Attacks
So now on RouterOS you have same rules as on your Linux DNS servers - requests from outside your network MUST be dropped:
Example of the firewall rules:
/ip firewall filter
add action=accept chain=input comment=“accept established packets” connection-state=established
add action=drop chain=input dst-port=53 in-interface= protocol=udp
add action=drop chain=input dst-port=53 in-interface= protocol=tcp