Hi everyone and Thank You for showing your interest by clicking my post, my english is not perfect so i will try to make short as possible.

the goal is to make a whitelist with the DNS Dynamic Resolver function in "Firewall -> address_list",
and than restrict my phone to only access internet with this whitelist.

my issue is the Mikrotik DNS resolver and wireshark don't give me the same answer!!!

if i open winbox, go to Firewall -> address_list, and create a new address list and i paste exemple here "game.clashofclans.com"

the Mikrotik DNS Resolver give me a different answer than wireshark

Here is the Test: my phone ask dns to my router, the NAT rule send the request to my pi-hole, and my pi-hole send the request to 1.1.1.1 (my pi-hole is on the same local network/diff subnet)

when my router need a dns request for itself or an other device without pi-hole filter , my router go directly on internet and ask dns to 1.1.1.1 ,

i have captured my phone dns traffic with wireshark if someone have explanation. Thank You

That hostname has several IP addresses with just one minute TTL and they change all the time. Not with each single query, but if you keep trying, you'll soon get addresses that previous response didn't contain and other previously present will be gone.

Problem here is that TTL is in seconds, which is relatively rough. If you're lucky, query sent by router will get response with some data and query sent a moment later by pi-hole will also get the same cached data. If you're less lucky, each will get different data. Just a millisecond between queries can make the difference.

You can improve it slightly, if both router and phone use exactly the same data. Which means that either both have to query pi-hole, or maybe even better router should query pi-hole and phone should query router. But even that doesn't guarantee success. There will always be some delay, communication between devices, updating of address list, phone probably also has some internal DNS cache, etc. Last time I was checking this with such low-TTL hostnames, it was really bad.

Thank You for your answer, and i just saw i have posted the only one dns picture matching, they match 1/30 due to the TTL is too short.
i will try to found a other way to make this whitelist possible, it work for most of the thing but for some mobile game like this one give me headache.

Have a good day!

I was thinking about a script that would resolve hostname and add address(es) as static record(s) (client would be using router as resolver). It would do it periodically and would allow overlap, i.e. first run would get address(es) #1 and add them. Second run would add address(es) #2, add them, but also keep #1. Third run would add #3, keep #2 and remove #1. Problem is that it doesn't really solve it, because if there are addresses #1 and #2, client asking router can get answer from #1 and if router removes it a moment later, it will still fail. This could be solved if address list didn't use hostnames and would be updated by script instead, with resolved numeric addresses. That would work. The idea is quite simple, only doing it using not exactly friendly RouterOS scripting may be not that simple.

... first run would get address(es) #1 and add them. Second run would add address(es) #2, add them, but also keep #1. Third run would add #3, keep #2 and remove #1. Problem is that it doesn't really solve it, because if there are addresses #1 and #2, client asking router can get answer from #1 and if router removes it a moment later, it will still fail.

If one uses dynamic address lists (dynamic entries are the ones with timeout property set), then there is benefit in this scenario: one doesn't have to remove old entries by hand, ROS will do automatically upon timeout expiry and timeout can be as short as a few seconds. And if adding fails because similar entry already exists, one can just reset timeout on the existing entry ... which can be done like in the following code example:
so the second part (reseting of timeout) happens automatically if the first part fails (because address list already contains entry with that address).

I forgot about entries with timeout. That on one hand can make it simpler, but I'm not sure if it can't bring another problem with synchronization. What if adding new entry fails, but the old one is removed by system because it times out, before the code in on-error finishes? I don't know if it can happen, but if it can, it would be a problem.