MikroTik

Hello everyone
So I have some clients in my network that they use VPNs like Psiphon which connect over ports like 443 and 80 which I cannot block and also their like of servers are a lot so I cannot monitor and block the server IPs one by one. So I was wondering if there is a way to block all the IPs for those clients except the ones resolved from DNS server (my router is the internal DNS server for the clients) so in this way client send a DNS query request for mikrotik.com and the answer is IP 449.459.459.555 and they can communicate with this IP cause it was came from a DNS query request reply but if the same client want to communicate with IP 567.564.510.945 they can't because it wasn't a DNS query request reply.
Is it possible ?
Thank you very much for any help

I use pi-hole and unbound

Any idea?

Is it possible ?

It is possible but useless. If you redirect any DNS queries towards port 53 on any IP address to the PiHole, the clients can still use DoH (DNS over HTTPS) to do their queries.

Is it possible ?

It is possible but useless. If you redirect any DNS queries towards port 53 on any IP address to the PiHole, the clients can still use DoH (DNS over HTTPS) to do their queries.

@sindy
Yeah, but not all of them know how to set it up.

I use these set of rules to block them but I know it won't work for DoH (I use it mostly to block cellphones DNS Failover).

add action=drop chain=forward comment=\
"BLOCK OTHER DNS SERVERS with bypass option" dst-address=!192.168.1.111 \
dst-address-list="!Bypass DNS blocking" port=53 protocol=tcp \
src-address-list="!Bypass DNS blocking"
add action=drop chain=forward dst-address=!192.168.1.111 dst-address-list=\
"!Bypass DNS blocking" port=53 protocol=udp src-address-list=\
"!Bypass DNS blocking"
add action=accept chain=forward comment="BLOCK OTHER DNS SERVERS with bypass opt\
ion (To make sure the above rules are tight and filtering (blocking) all the\
\_packets)" dst-address=1.1.1.1 port=53 protocol=udp src-address-list=\
"Bypass DNS blocking"
add action=accept chain=forward dst-address=1.0.0.1 port=53 protocol=udp \
src-address-list="Bypass DNS blocking"
add action=accept chain=forward dst-address-list="Bypass DNS blocking" port=53 \
protocol=udp src-address=1.1.1.1
add action=accept chain=forward dst-address-list="Bypass DNS blocking" port=53 \
protocol=udp src-address=1.0.0.1
add action=drop chain=forward dst-address-list="!Bypass DNS blocking" port=53 \
protocol=tcp src-address=!192.168.11.111
add action=drop chain=forward dst-address=!192.168.1.111 port=53 protocol=tcp \
src-address-list="!Bypass DNS blocking"
add action=drop chain=forward dst-address-list="!Bypass DNS blocking" port=53 \
protocol=udp src-address=!192.168.11.111
add action=drop chain=forward dst-address=!192.168.1.111 port=53 protocol=udp \
src-address-list="!Bypass DNS blocking"

@sindy
Yeah, but not all of them know how to set it up.

Set it up???
Is the new default on browsers, final users are required to be dummy and do not do nothing...
Google & Co. give their best to get their hands on the DNS,
and no one protests with the stupid flag of privacy...
Pot calling the kettle black...

I know but just stopping them from connecting to the VPN servers is enough that's why I'm looking for a solution.

@Sindy
You said it is possible, any hint/guide for me on have to implement it?

/ip firewall nat
add chain=dstnat in-interface=the-client-facing-one protocol=udp dst-port=53 action=dst-nat to-addresses=ip.of.pi.hole
add chain=dstnat in-interface=the-client-facing-one protocol=tcp dst-port=53 action=dst-nat to-addresses=ip.of.pi.hole

this will work if the pihole is in another subnet than the clients, which is a preferred configuration; otherwise look for hairpin NAT here on the forum.