DHCP server is already configured to handout Pi Hole as default dns server - so everything is OK with clients config.
But some clients get an domain resolved even if it was already present on blacklist.
To put it as shortest as possible: Mikrotik DNS is used by Pi devices only. All other devices are configured (by DHCP server on Mikrotik) to use Pi Holes as DNS servers.
Need a way to filter/drop all DNS requests to Mikrotik, not originating from Pi devices mentioned above... or route/forward it to one of Pi holes.
I don't believe what you think is happening, is actually happening... Confirm with WireShark..
Unless the hosts have the Mikrotik setup as a DNS server, they won't use it..
It is more likely the hosts are doing their own DNS lookups to a separate server, either programmed in or DoH (DNS over HTTPS).
Firewall port 53 on the Input chain, drop all IPs except the Pi--Hole IP, would do it..
Might be better to turn off Allow-External-Lookup on the Mikrotik, have Pi-Hole do recursive lookups on it's own, or just forward to a public sever. Then you know no client can ask the Mikrotik to do a lookup.
As I already noted, I have two Pi devices, both configured as DNS sinkholes (Pi Hole). Only difference is that one of them (primary) has conditional forwarding enabled and set up, so I could use hostnames instead of IP addresses to access devices/hosts present on my network.
Using an app (Ping Tools) to check DNS resolving, I found out that querying for example googlesyndication.com domain returned correct IP on primary Pi Hole DNS server, but got blocked by secondary one. Both Pi devices uses Mikrotik DNS (which is configured to use DoH) as upstream DNS server for their needs (firmware/software updating, etc.).
Why is the conditional forwarding only setup on one of them? It should be on both.
Someone else please correct me if I am wrong, but.
Mikrotik doesn't add DHCP leases to the DNS entries.. If you want the local domain to resolve, you would be better to use Pi-Hole as the DHCP server.
As for your Ping Tools application test, you reached the wrong conclusion from the results.