Thanks Anav,
The setup for the container was taken from the Mikrotik YouTube instructional video here https://www.youtube.com/watch?v=8u1PVouAGnk. You’ll notice that I basically copied it verbatim, with some tweaks to get it working from one of my previous threads http://forum.mikrotik.com/t/pihole-not-blocking-ads-but-otherwise-working/169693/20
In the previous thread Normis suggested that the best way to have DoH and use my preferred upstream DNS server (1.0.0.3, etc.) was to make the router the upstream DNS server for the pihole using DoH (the default pihole image doesn’t do DoH). This worked, and he seems to know what he’s talking about, so I left it like that.
Does that explain the DNS setup?
It’s easy for a relative newbie, like me, to get confused by the NAT rules. I guess my first priority is to make sure I’m not doing anything unsafe or insecure, then to make sure I’m not enabling WAN dns requests (if that is even a separate thing).
Does that help? Do you think I need to change any of the rules to protect the router/prevent external DNS requests?
Darren.