Yes, this is exactly what happens. A Mikrotik router does not run “dnsmasq”, it is instead home-grown MT DNS server. So an ISP in between the place you are scanning from and your router is intercepting your DNS queries. This is why users should use DoH / DNSCrypt / etc to prevent this kind of abuse from ISPs.
¨
Sadly its broken in all current version of RouterOS with a memory leakage. When that is fixed I will for sure turn DoH back on.
There are noe reason for my ISP (government or other) to be able to look at my DNS requests.
I want to add more data to this post for if someone else happens to run across this issue themselves as well. I was experiencing the exact same issue as the OP was describing, nmap was showing port 53 as being open. In my case, the router was also responding to DNS requests. I have all the same firewall rules placed in the same location and order as well as the allow-remote-requests set to no under “/ip dns”.
However, what I’m doing that is not the same as the OP is dst-nat’ing all dns queries to my own internal DNS server to combat devices that do not adhere to the DHCP settings that are given out and attempt to use their own settings instead.
The resolution for my problem was to add “in-interface-list=!WAN” to both of these nat rules, which prevents it from accepting any DNS queries on the WAN interface, as well as showing as open with nmap.
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=!X.X.X.X dst-port=53 in-interface-list=!WAN log=yes log-prefix=NAT-DNS-TO-X.X.X.X protocol=tcp to-addresses=X.X.X.X to-ports=53
add action=dst-nat chain=dstnat dst-address=!X.X.X.X dst-port=53 in-interface-list=!WAN log=yes log-prefix=NAT-DNS-TO-X.X.X.X protocol=udp to-addresses=X.X.X.X to-ports=53
Thanks so much for this. This was driving me crazy.