To make interception and substitution of 53 udp is elementary. Mikrotik does not seem to implement anything like dns over ssl or dnscrypt out of the box to protect against this. But with the help of simple firewall manipulations, you can redirect a dns server to yourself, which hangs on a different port, for example.

1) intercept user DNS so as not to depend on user settings
2) put adguard dns in ip dns on Mikrotik, or whatever you need
3) mark DNS traffic in the mangle
4) put marked traffic into the VPN tunnel

maybe my answer will seem primitive to you and so on, but Layer7 and package labeling save you from this.
not a solution, but a good example of where to dance

Set up an internal DNS server with DNSSEC. Alya Pi-hole .

I deployed DNSCrypt in a docker virtual machine on a server inside the network specifically for this purpose. As DNS servers in the settings of DHCP servers and in the settings of network interfaces of static clients, the IP of the virtual machine with DNSCrypt is specified. This is probably a little overkill, but, firstly, there is where to deploy, and secondly, because I can) But in fact, really some kind of raspberry is enough with DNSCrypt or something else. But I did not study alternatives, simply because the method I use suits me completely.

On MikroTik, set AdGuard DNS in ip/dns. Dynamic DNS should not be.
Check the Allow Remote Requests checkbox. Give clients the MikroTik address as a DNS server to the network via DHCP. Make sure they get what they need.
In ip/routes on MikroTik, create routes to AdGuard DNS addresses through the tunnel.
On the VPN server, configure src-nat for connections from the tunnel so that replies reach.
Clean out the DNS cache everywhere just in case.