Hello,
I'm configuring a NAT rule to redirect all the DNS traffic bypassing the Mikrotik gateway to the Mikrotik CHR itself:
Checking for previous guides/posts, I configured the rules above. My understanding is that rule 3 is redirecting all the traffic not directed to 192.168.1.1 (DNS provided by DHCP) on port 53 to 192.168.1.1 port 53. Is this correct?
Performing several dig tests, it seems to be working, but I don't understand the meaning of rule 4 with srcnat masquerate. I see no hits for rule 4, while rule 3 is increasing while I dig towards an external DNS server.
What am I missing?
Thank you!

That Rule 4 would only be needed if you were redirecting to another device in your network such as a pi-hole or similar.

That Rule 4 would only be needed if you were redirecting to another device in your network such as a pi-hole or similar.

Thank you, for my understanding, if I had a different DNS server: it would not work by editing rule 3 and to-address IP only? Without masquerading, the DNS to device reply would be broken?

If the DNS server is in the same IP scope, it would be broken without the masquerade rule. This is the same issue as Hairpin NAT.

If you use an IP outside of your LAN IP scope, there is no need for the rule as the packets would return to the router already.