If I don’t have an easier router method, I shall take your advice. Much thanks either way!
I’m not sure if that would do the trick … but can’t you use main router as DNS server for clients and use rpi as router’s upstream DNS server? So set /ip dns set allow-remote-requests=yes servers= … Or do dst-nat on TCP port 53 for “LAN” connections and set up rpi as target (if rpi has got its own IP subnet, hairpin nat is not necessary).
This simplifies setup on rpi which seems to be truly necessary in @anav’s complicated life (where to store that snow shovel that it’s gonna be needed before end of August?) …
Okay so MKX lets say I use eth4 for the pi, give it its own LAN (not on my vlan bridge), 192.168.4.1 gateway etc… This I can setup statically on the PI and setup on the router with relative ease. 
TWO options as not clear what you mean.
(1) Then instead of DNS server on DHPC networks set to 1.1.1.1 or vlan Subnet gateway, I put in the ACTUAL LANIP of the PI!!
a. will this work
b. what firewall rules would I need (input or forward chain).
c. what do I put for IP DNS remote requests NO ??
OR
(2) Put IP of PI as IP DNS single dynamic server entry, plus allow remote requests ??
Both options are possible.
About option (1)
a. it will work just as setting external DNS server (e.g. 8.8.8.8.) works
b. you need firewall rules for forward chain … allowing VLANs to connect to rpi’s IP address port 53 (both TCP and UDP) and allowing rpi to connect to internet (most important is to allow it to connect remote DNS servers. Which ones depends on rpi DNS server setup, you can set it up to use a few select forwarders so it will only connect those … or you can set it up without forwardes, in that case it will connect all DNS server in the wild if needed to resolve some particular address)
c. you can if all the clients are going to use rpi directly
About option (2)
Yup.
In my setup, I actually have a hybrid solution: I’m using option (1) for LAN subnets which are “friendly” and I’m using option (2) for “alien” LAN subnets where I don’t want to expose my home DNS server (not an rpi, it’s a proper linux server).
Regardless of using option (2) only for a few select subnets I don’t restrict access to router’s DNS service for “friendly” LAN subnets so I don’t have any special firewall filter rules regarding DNS service on chain=input … call me naïve, but I somehow trust myself 
Okay, so the scenario is I have 5 VLANS vlan5,6,7,8,9,10 all on the same bridge (being fed on eth2, eth3 to two different managed switches etc…
vlan5,6,7 require Pi-hole to block advertising, vlans 8,9,10 do not.
RPI is on ether4, not on the bridge, not on a vlan with IP 192.168.4.2 (gateway 192.168.4.1)
Option 1A
vlans 5-7 dhcp network gateway=vlan5-7 gatewayIP respectively and dns-server=192.168.4.2 for all
vlans 8-10 dchp network gateway=vlan8-10 gatewayIP respectively and dns-server vlan8-10=vlan-gatewayIP respectively.
IP DNS remote requests enabled (yes)
Dynamic servers 1.1.1.1, 8.8.4.4 for example.
/ip firewall filter
allow source vlans 5-8 to access destination 192.168.4.2 dst port 53 protocol udp/tcp
allow source 192.168.4.2 dest port 53 protocol udp/tcp destination-address-list=RPI_servers
(address list = RPI-servers - list of dns servers I wish to allow RPI to use for resolving)
In addition to prevent vlan5-7 devices to be configured to bypass the DNS setting for the subnet (to use proxy or to hard code DNS in PC setting) I need to add a redirect rule to these vlans for this purpose… Not needed for the non-RPI vlans unless you can think of a good reason?
/ip firewall NAT
add action=redirect chain=dstnat comment=
“Force vlan Users 5-7 to RPI for DNS - TCP/UDP” disabled=yes dst-port=53 protocol=
tcp/udp src-address-list=VLAN,5-8 subnets (or perhaps in-interface-list=RPI_VLANS (if so created in /interfaces for example).
“Option 1B”
Same as above except I encode all subnets with a fixed list of available servers such that
vlan5-7 is RPI IP, vlans8-10 dhcp-network dns-server is set to 1.1.1.1 or 8.8.4.4
In this case I should be able to set IP remote requests=NO.
I will still need the redirect rule for the RPI vlans5-7 to ensure they dont stray from RPI IP for dns resolving.
I dont think I need any other forward rules - for vlan8-10 to get access public DNS (as they already have a VLAN to internet allow rule).
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Option 2.
The distinct difference in our outlook here MKX is that they are polar opposites LOL. I am not trusting my friendly networks (or I should say I am protecting my friendly networks from advertising (vlans5-7), but don’t care to protect other vlans from advertising (vlans8-10)
This option is using the RPI as the Dynamic server that the router is allowed to use for DNS requests.
In this option allow remote requests is allowed (yes). VLANs 5-8 have their vlan subnet gateway also as dns-server IP respectively.
I require input filter chain to allow vlans5-7, to router for port 53 etc…
The other vlans (8-10) have their dhcp-network DNS-server settings set to 1.1.1.1 or 8.8.4.4 for example.
In this case I still need the redirect rule for vlans5-7!
The vlans do not require forward filter rules as they already have allow to internet rules in place.
RPI still needs access to internet for port53
Vlans5-7 do not require forward filter rules for port 53.
So in essence to summarize we have two instances of two blocks of vlans (with 3 possible outcomes)
(1) RPI vlans defined by dhcp-network DNS set to RPI IP / IP remote settings not required / forward chain to RPI required / router dynamic server not required
(2) RPI vlans defined by dhcp-network DNS set to gatewayIP / IP remote settings yes required / input chain to 53 required / router dynamic server = RPI IP
Note: both require redirect dstnat rule to ensure RPI cannot be bypassed.
(3) Vlans8-10 defined by dhcp-network server set to public DNS servers / IP remote settings not required / access for vlans to internet already exist / router dynamic server not required
(4) vlans8-10 defined by dhcp-network server set to gatewayIP / IP remote settings yes required / input chain to 53 required / router dynamic servers set to public DNS servers.
Thus
(1) + (4) = Option 1A above
(1) + (3) = Option 1B above
(2) + (3) = Option 2 above.
The selection of (2) +(4) is not possible (although is many cases is the defacto standard setup) because then all vlans would be either set to RPI or public servers and we wish a mix of both.
Comments??