Starting from version v6.36, you can add domain names to address lists!
*) firewall - allow to add domain name to address-lists (dynamic entries for resolved addresses will be added to specified list);
if the PC is not much then
in IP > Firewall. > Address_Lists add the desired sites with the name of one group.

/ip firewall address-list
add address=mail.ru list=web_block
add address=drom.ru list=web_block

/ip firewall filter
add action=drop chain=forward dst-address-list=web_block src-address=192.168.100.2
add action=drop chain=forward dst-address-list=web_block src-address=192.168.100.5

Options 2 - opaque proxy or firewall. If the working portals are without https, a transparent proxy is also possible.
The first method will require proxy settings in browsers. Allow selected users access where possible and prohibit everything else.
Something all the mana on the Internet is on a transparent proxy, so the official Wiki is also suitable. We just do not wrap traffic on the proxy.
wiki.mikrotik.com/wiki/Manual:IP/Proxy

If they want, they will find a way around. If the network is heavily loaded, then you can configure the shaper to addresses and kill the speed at the most reluctant. And you can log traffic with the provision of statistics to management and penalties for visiting social networks.
And yes, no one forbids using phones and other gadgets

add chain=forward comment="accept VK" content=vk.com src-address-list=allowsocial allowed everyone to enter VK from the "allowsocial" aderslist, add allowed IP addresses there
add action=reject chain=forward comment="drop vk.com "content=vk.com src-address=192.168.0.0/24 - banned for everyone.

I advise through layer 7 protocol
ip firewall filter add chain=forward src-mac-address= layer7-protocol=social action=drop
or src-address - by IP
and in the tab you create a rule with such an entry, for example
^.*(get|GET ).+(vk.com|odnoklassniki.com|facebook.com|twitter.com).*$

In the absence of a domain, this is so easy that even secretaries manage ...