I've been digging through several guides as to "How to protect your router" etc. Most of the examples show to open the required ports and drop everything else. The one configuration line i don't understand is this one:

/ip firewall filter add chain=input protocol=udp action=accept comment="UDP" disabled=no

If i understand this correctly it means it will accept udp traffic from anyone and everyone regardless of interface. Isn't that a bad thing? The problem I'm having is this: I want my LAN users to be able to user my router as a DNS proxy. However if i do not use the above line some dns queries are filtered out by my drop everything else rule.

Is there a secure way to allow only my LAN users access to my router as a dns proxy? Here's my filters:
Again with the above config DNS queries fail because the traffic is being dropped. If i add
/ip firewall filter add chain=input protocol=udp action=accept comment="UDP" disabled=no
DNS queries work, but my firewall also answers DNS lookups for anyone outside my network (the internet). I've tried tweaking with the in-interface etc. To my understanding the DNS requests would fall under the established or related connections when my router makes a query. Apparently this isn't the case. Without allowing udp traffic internet wide my router can't be used as a DNS proxy.
Any help is appreciated.