From outside LAN (internet) is ok, but this is not working from inside LAN (192.168.2.1).
Probably this is only one choice using NAT? but I still wondering why this common sitiation to publish 443 port causes such a problem ?
So I just wondering how may I implement DNS proxy on the Mikrotik?
Notice that there is a source NAT rule added for LAN<>LAN communications.
add action=masquerade chain=srcnat dst-address=192.168.2.0/24 out-interface=LAN src-address=192.168.2.0/24
I tested my rules on a lab and they work for LAN->LAN and for WAN->LAN.
It also does not incorrectly redirect 443 for LAN->WAN - these continue to go out correctly to the Internet.
However, DNS proxy is pretty easy.
In Winbox, under IP > DNS, make sure there are servers defined (or dynamic servers learned from your WAN connection). As long as the Mikrotik itself can successfully make DNS lookups, make sure the "Allow Remote Requests" checkbox is checked.
In the same screen, click the Static button, then the + to add a new entry.
Be sure to include an entry for every name that clients can use to reach the server...
Finally, assign the Mikrotik's LAN IP as the DNS server in your internal DHCP (IP > DHCP-Server > Networks > 192.168.2.0/24 > DNS Servers: 192.168.2.1
Optionally, you can create a redirect rule in dstnat chain (port 53, udp and tcp) - action=redirect means to intercept the request and handle it with the Mikrotik itself. Interestingly, after doing this - every IP address on the Internet will work as DNS for your client PCs.
FYI - the reason the srcnat is required is this:
request from 192.168.2.99:12345 -> 192.168.1.101:443
packet is now 192.168.2.99:12345 -> 192.168.2.2:443
-packet forwards to server-
-Server sees source is local IP - sends reply directly to client-
-client receives packet directly from server, Mikrotik is skipped-
packet = 192.168.2.2:443 -> 192.168.2.99:12345
-client is confused - it never asked for 192.168.2.99:443 so it drops the packet-
-client never receives reply from 192.168.1.101:443, and sends a re-try-
-retry fails for same reason-
-max retries, connection times out-