According to this article (https://wiki.mikrotik.com/wiki/Force_us ... DNS_server) these rules will redirect users on the network to use the specified DNS server. However, they suspiciously look like the rules for port-forwarding which also uses the same dstnat chain and action combo. I tried these rules out on my own RouterBOARD and surprisingly, they didn't create an open resolver although in theory they should. How is this possible?

"...they suspiciously look like the rules for port-forwarding..."

Reason is that is exactly what those rules are, they will just redirect (NAT) packets to which ever DNS server you point them to in the NAT rule, may it be your router or Google DNS servers, etc

"...they suspiciously look like the rules for port-forwarding..."

Reason is that is exactly what those rules are

If this is true, why isn't it accessible from outside? Unlike regular port-forwarding rules, these DNS ones don't make the RB's DNS server (or any other one) available to clients outside the internal LAN, so I'm wondering what the difference is that makes them only usable from LAN and not the WAN too.

The only reason will be if a firewall is blocking connections from the outside, else those rules will redirect (NAT) anything with a destination port of 53 to 192.168.88.1

Also, you will still need to enable "Allow remote..." in DNS service on router, else the router will not respond to DNS requests

My router already has that firewall rule(s) to block connections except for those which have NAT rules. The problem is, DNS has the equivalent of a port-forward NAT rule BUT it is NOT accessible from outside, while otherwise identical rules for other services get passed through just fine. "Allow Remote Requests" is turned on in the settings and it works great for local clients.

That looks like a fairly standard default Mikrotik firewall config, difficult to see details from screenshots, export much better

If my assumption is correct above, it will mean that you typically allow DST NAT in the "Forward" chain, not "Input" chain, and as per example, you are dropping anything not from LAN in rule 5

Disable all "Input" chain rules and test again

Update: I decided to just add a qualifier to the DNS rule so that only the LAN interface list will work, so that'll block all incoming WAN connections for DNS.