On the Mikrotik DNS cache you have ‘allow-remote-requests’. Does this restrict the cache to only itself or to localnets such as any IP in its subnet?
You can close the 53 port for both udp and tcp for all except your local users and the DNS Servers.
you can make address list and use quick. some thing like this :
use access list like this :
/ip firewall address-list
add address=192.168.10.0/24 disabled=no list=Allowed2DNS
add address=173.145.18.64/26 disabled=no list=Allowed2DNS
add address=4.2.2.2 disabled=no list=Allowed2DNS
add address=4.2.2.6 disabled=no list=Allowed2DNS
add address=8.8.4.4 disabled=no list=Allowed2DNS
in firewall filter rule
/ip firewall filter
add action=drop chain=input disabled=no dst-port=53 protocol=udp src-address-list=!Allowed2DNS
add action=drop chain=input disabled=no dst-port=53 protocol=tcp src-address-list=!Allowed2DNS
the UDP protocol is connectionless because of this you can’t control DNS operations by state of the connection.
good luck