i also see such issue on customer routers. My solutions was:
1) create an access list for used DNS servers
2) create a firewall rule to drop all incoming packets what's targetting udp/53 and NOT originated from src-address-list=dns-servers and coming from WAN interface.
however i would welcome a solution from Mikrotik what allows to configure local DNS service access like other IP services:
offer a list of allowed hosts/subnets.