I'm currently installing Mikrotik kit in a small local charity where money is always tight. They currently use (free) OpenDNS to block access to websites but they've always wanted to be able to have two different blocking lists - one for the public VLAN/Wi-Fi and another for staff computers. NextDNS can do this with the NextDNS client on Windows and also guessing that as RouterOS is so powerful, that might be able to automatically offer different NextDNS configurations between the LAN and the VLAN used for the public network. Anyway, that would be a nice to have.

The main question though is over the NextDNS cost. It's £179/year for the paid version which I'd love to save if possible. But the free version is limited to 300,000 DNS lookups.

A question about the DNS server in RouterOS. If that was configured to act as the DNS server for the network, would it potentially reduce the number of lookups? For example, if two computers looked up bbc.co.uk in short succession, would RouterOS DNS supply the cached entry? Until one assumes the TTL expires.

My knowledge of DNS lets me down here plus what NextDNS classes as a unique request. What travels in the DNS packet to the DNS server? Is the MAC address of the requesting device passed through so it can distinguish requests from specific devices?

I normally program DNS on DHCP server etc with 1.1.1.1 and 8.8.8.8 so never considered this before.

If its a small charity, why not just use the "pro" nextdns plan which is $20 USD a year?

Might be able to get away with that. I'll install it anyway. The worst that happens with the free version when you exceed the 300,000 lookups is that it stops blocking, i.e. every DNS entry is allowed.

I use the pro for myself and my parents - for the last 30 days we have had 1.5 mil queries with the bulk of them coming from my home network.

Also if you use the nextdns client (on a raspi, server, or in a docker container) you can specify different mac addresses to point to different configs. This is what I use to apply extra security to devices my kids use.

Yeah, I installed it at a small business of ~15 people and they burnt up the 300,000 lookups in just a week. They're using FritzBox routers but also the NextDNS client on their computers so they can have a different blocking list to the default ID supplies via the router. I'm guessing that when using the NextDNS client, the log shows the name of the computer, that they can distinguish lookups per computer. Anything accessing via the router itself shows as "Unknown" or "Other" - can't remember what.

Aside but it's fascinating looking at the blocked log, how many ad services etc are blocked and everything still seems to work fine.

To get the full logging, you would need to have the nextdns client installed on the devices or install it somewhere (docker, raspi, etc) in router mode (setup-router true). Depending on the mikrotik device used, this can definitely be run as a docker container.