Root cause: asymmetric routing fixed with srcnat masquerade

docs/incidents/2026-01-25-dns-outbound-blocked-after-mikrotik-restart.md

@@ -187,3 +187,39 @@ Added whitelist rules to AdGuard:
 
 ### Verification
 Restarted AdGuard, TV should now connect to Netflix.
+
+---
+
+## Root Cause Found: Asymmetric Routing (13:55)
+
+### Problem
+DNS redirect (DNAT) was causing asymmetric routing:
+1. Client sends DNS to 192.168.31.1:53
+2. MikroTik DNATs to 192.168.31.4:53 (AdGuard)
+3. AdGuard responds DIRECTLY to client (same L2 subnet)
+4. Client receives response from .4 but expected it from .1
+5. Client drops response → "no internet"
+
+### Fix
+Added srcnat/masquerade rule so AdGuard sees MikroTik as source:
+
+```bash
+/ip firewall nat add chain=srcnat action=masquerade protocol=udp \
+  src-address=192.168.31.0/24 dst-address=192.168.31.4 dst-port=53 \
+  comment="Masquerade DNS to AdGuard"
+```
+
+Now the flow is:
+1. Client → 192.168.31.1:53
+2. DNAT → 192.168.31.4:53 (src masqueraded to MikroTik)
+3. AdGuard responds to MikroTik
+4. MikroTik un-NATs response → Client
+5. Client sees response from .1 ✓
+
+### Verification
+```
+$ nslookup google.com 192.168.31.1
+Server:   192.168.31.1
+Name:     google.com
+Address:  142.250.187.110
+```