My house MikroTik runs a permanent tunnel to the offices of my job. DHCP configures the devices to send DNS requests to MikroTik, which then sends the requests to Google or forwards them to the DNS server of my job.
Job intranet = intranet.job.local
Job DNS Server = 192.168.90.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall layer7-protocol
add name=ad_dns regexp=.job.local
/ip firewall mangle
add action=mark-packet chain=prerouting dst-address-type=local dst-port=53 layer7-protocol=job_dns new-packet-mark=forwarded-dns passthrough=yes protocol=udp
/ip firewall nat
add action=dst-nat chain=dstnat comment="Intercept DNS:" packet-mark=forwarded-dns to-addresses=192.168.90.1