1. suppose your lan is connected to ether2, in firewall filter add a rule in forward chain to drop connection udp to port 53:
/ip fire filt
add action=drop chain=forward disabled=no \
dst-port=53 in-interface=ether2 protocol=udp
2. now configure the dns server of your router like this:
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=512 servers=208.67.222.222,208.67.220.220
/ip dns static
add address=127.0.0.1 disabled=no name=
www.facebook.com ttl=1d
add address=127.0.0.1 disabled=no name=facebook.com ttl=1d
add address=127.0.0.1 disabled=no name=
www.youtube.com ttl=1d
(here you could add sites you want)
For servers I indicated OpenDNS. This is sufficient.
If you have a static public ip address, you can also create a free account in openDNS to block some site categories (i.e. "social networks")
If in the lan you have your own DNS server (i.e. the domain controller of a microsoft domain) you must set your router as dns forward and disable root hint.
This approach is valid in 99% of cases; it is not valid if an user:
- write manually a dns resolution in its hosts file
- configure an external ssl proxy