But can I ask you why if with the rule of:
chain=input action=drop in-interface=ppp-wan
and enabling:
Ip/DNS / allow remote request
the world can call the dns port?
Well, earlier in the chain, I'm sure you have a rule to allow established,related connections, right?
Any existing connections when you set the default drop policy would still be allowed by the established,related rule... that's one way. You could go into the connections table and remove any that had port 53 if you wanted to drop those immediately.
If new connections are working, then basically, you must have a rule which is permitting the traffic somehow; either you have a rule further up in the chain which permits DNS in the input chain, or the requests are coming in via a different interface.
Go into the firewall filter screen, and use the filter drop-down at the top-right corner of the window to select the input chain. This will make it easier to read that single chain, and you can make 100% sure that there aren't any rules permitting the traffic.
I suppose it's possible there could be an "accept" rule in the prerouting chain of the masquerade table, but I don't think an accept rule there would be able to override the filter table, but it's something to consider since the prerouting chain of mangle is called before the input chain of filter is called.