Well you are right that you can false positive matches, but not with something like www.localtaxi.com
, only with something like local.com or www.local.com
(the \x05 part makes sure of that). I have tried a few ways to enhance it, and this filter even them out:
/ip firewall layer7-protocol
add name="DNS .local" regexp="\\x05local\\x01\\x01"
the L7 regex matcher filter out all \x00, so you can't match on them, but you can match on what it left
This only work for UDP DNS requests, TCP connections will already have been established before the data packet arrives, so it will be to late to redirect. So no need for TCP matching, on the other hand, if the DNS requests should be TCP based, then there is no way for RouterOS to redirect them, that would require a true DNS forwarder capability (hint hint nudge nudge MikroTik).
The masquerade NAT rule is needed, so replies comes back to the router, so it can be properly NATed back to the client, or they will be sent directly to the client form an unexpected host.