I was having issues with catching (and blocking) any device that tried to access manual set dns queries in my network. A home network, but I do not want devices to be going out the wrong path if they are inside my network.
So I did 2 things, that may be a bit excessive for some people, but anyways... here is the thing, my main router is at 192.168.1.1, my dns is at 192.168.1.10
First I identify any attempt to contact a dns port (53) and I tag it
/ip firewall mangle add action=mark-connection chain=prerouting comment="trap dns queries" connection-mark=no-mark dst-address=!192.168.1.10 dst-port=53 in-interface-list=lans new-connection-mark=dns-route passthrough=yes protocol=udp src-address=!192.168.1.10
/ip firewall mangle add action=mark-connection chain=prerouting comment="trap dns queries" connection-mark=no-mark dst-address=!192.168.1.10 dst-port=53 in-interface-list=lans new-connection-mark=dns-route passthrough=yes protocol=tcp src-address=!192.168.1.10
Then I make sure I redirect this requests to the pihole address and srcnat/dstnat it accordingly.
/ip firewall nat add action=masquerade chain=srcnat comment="SNAT to PI-Hole" connection-mark=dns-route to-addresses=192.168.1.10
/ip firewall nat add action=dst-nat chain=dstnat comment="DNAT to PI-Hole" connection-mark=dns-route to-addresses=192.168.1.10
Some people have said that just masquerading is enough, but in my experience it didn't cut it. And you can see in the firewall connections tab that any query to any dns in the ports you defined will be redirected to your dns and it will be properly formatted when the reply returns.
And because I have a trio of ISPs I split the dns queries onto all the connected ISPs. This increases reliability but it is certainly not required and I just put it here as an example. Note: The lans is a list of al interfaces that are in the local network, and WAN#_conn is a routing rule that makes any packet marked to go thru the interface if it is up and running otherwise it goes thru main routing table.
/ip firewall mangle add action=mark-connection chain=prerouting comment="Nth DNS to WAN1 out of 3" connection-mark=no-mark dst-address-type=!local dst-port=53 in-interface-list=lans new-connection-mark=WAN1_conn nth=3,1 passthrough=yes protocol=udp