I have a question regarding MikroTik Hotspot behavior and DNS handling.
Currently, when I have a Hotspot configured, once a user authenticates successfully, the client receives and uses the global DNS settings configured on the MikroTik router.
My question is: is it possible to change or override the DNS settings after the user has already authenticated?
More specifically, I would like to know if there is a way to force a different DNS (for example, via firewall rules, NAT, or any other method) for authenticated users only. The idea would be to apply different DNS policies dynamically, depending on the user's state (pre-auth vs post-auth).
Has anyone implemented something similar, or can point me in the right direction (firewall mangle rules, dst-nat, DNS redirect, etc.)?
In my case, the goal is not related to unauthenticated users or guest access.
What I’m trying to achieve is the following:
The DNS server I want authenticated users to use is located in a remote network that is reachable through a VPN. The MikroTik itself does not have direct access to that DNS server. However, once users are authenticated, they are placed into a specific subnet/VLAN that does have connectivity to that remote DNS over the VPN.
So effectively:
Before authentication → users use the default/global DNS (local to the MikroTik)
After authentication → I want them to use a DNS server located on that remote network
That’s why I’m looking for a way to enforce or redirect DNS after login, since the reachable DNS infrastructure changes depending on the user’s network context.
