Is there any way to setup a dns server that responds with predefined A record to ANY request from non-authenticated hotspot users? I want them to be able to enter any url in their browsers and get to the login page. MT redirects all tcp traffic to HS webserver but client sends DNS query before opening TCP connection. Allowing access to a normal dns server (MT or other) works fine but allows creation of dns tunnels
If there is no way to do it with MT, what other easy-to-setup software can be used for this purpose?

I think, that is a broken setup. Operating system may cache DNS records, so giving out incorrect information may cause clients to open your page later instead of the page they require as the respective DNS entry has been cached and points directly to your router.

DNS tunnel is a great idea (haven't heard of it, found just now on slashdot), but:
1. you could limit the amount of DNS packets from the clients, say ten in a minute for the whole network of unauthorized clients
2. or you could create tree queues using PCQ technique to limit the data rate for each IP to something really slow (like 4k per second to allow clients to ask one very big DNS request - 512B - in a second)
3. also maybe there as a signature in DNS Tunnel reply packets (any common string that appears only there, not in legitime DNS replies) , so that you could put firewall rule to disallow such replies

Unfortunately, I can not think of any other ways to stop DNS tunnels (I might miss some...). is it very popular in your country?

No, just wanted to achieve perfect security

>Operating system may cache DNS records

That's what TTL is for

rate-limiting dns packets is a solution but not a perfect one.
Ideally non-authenticated clients should not be able to transmit a single byte to the outside

Perfect security could never be achieved

A simple script in a language like perl would make you such a server. RouterOS would not, at least for now...