I personally think that DNS-based filtering is going to grow in importance, as threat vectors must ultimately rely on either DNS or a pre-computed hash of IP addresses to communicate with.
As threats are captured and analyzed by security professionals, the pre-computed IP hashes are susceptible to blacklisting. Domain names are much more flexible for the bad actors, and so closing this avenue for "finding home" is key. If the malware cannot find the IP address of its mothership, (or the phishing sandbox website, etc) then the threat is neutralized.
I guess I'm just not looking for a DPI service in Mikrotik for a few reasons.
Firstly, its primary function is to be a router, not a firewall. The firewall rules are quite flexible and allow lots of creative, even ill-advised configurations that perform some task or other. However, the core value of ROS is its ability to be a router, and there are currently many things about this segment which still need work, features which need to be updated, etc. IPv6 functionality is present but very basic at the moment. Failing to keep up with this is going to be a form of creeping death for ROS as a routing platform as adoption progresses.
Secondly (and this is NOT a slam against Mikrotik), I don't think the company has the resources to branch off into yet another highly-specialized field like packet inspecting security appliances. Take CapsMan for instance - it's a wonderful feature, and granted I don't have much experience with it, but it just doesn't seem as evolved and functional as other WiFi controller platforms that have been on the market maturing for several years. It's a Mikrotik solution and allows for an "all-in-one" solution, but it's not going to be as functional/"featureful" as a purpose-built solution.
The ROS software itself is well-known in this community to be easily affected by bugs whenever a new version comes out (hence the bugfix train by Mikrotik - kudos on that, by the way).
It took years and years before development resumed on The Dude - Mikrotik's NMS solution, and my impression from the various threads is that this was due to having no one in-house to work the project.
Mikrotik products are known to have many rough edges when they're new (the 2011 had some issues, the 3011 is becoming more reliable after a year or so, I seem to recall there being tilera platform issues when the CCR line was new, etc)
All of this paints a picture, and if Mikrotik were to roll out a DPI solution for RouterOS (a module, perhaps), then would you really want to trust your network security to a greenhorn product line from Mikrotik? For a home network, sure, or for a student computer lab / guest network / etc - that might be great. This could be a very useful ROS module, and after a few years of maturation, might be a very dependable function for ROS to boast.
Finally, speaking for myself, I am not a fan of "all-in-one" solutions. In my experience, such things either offer lots of B+ quality capabilities (nothing truly excellent) or else they have performance/scaling problems whenever any significant portion of its capabilities are actually put into use at once. (can you imagine actually using a mAP lite as a MPLS PE-router? the feature is available on it). I would rather plug a great firewall into a great router than sit one decent box in front of the network... and this holds doubly-true for anything as involved as security, because a false sense of security is worse (in some ways) than no security at all.
Again, this isn't a slam against Mikrotik - they're doing great things with this product, and what it does well, it does fantastically well for a great price, but they're not a pancea solution. I would much rather they spend their energy on keeping the router functionality as tip-top as possible than spread themselves even thinner into true firewall development.
When given a spoon,
you should not cling to your fork.
The soup will get cold.