config redirect 'dns_int'
option name 'Intercept-DNS'
option src 'lan'
option src_dport '53'
option proto 'tcp udp'
option target 'DNAT'
option family 'any'
With this configuration it seems using ipv4 DNS requests both to local DNS server and external DNS server are properly handled and external ones are redirected to local one.
On the other hand, DNS requests over ipv6 seem to fail:
❯ dig +short www.google.com @fdb7:ff**:****::1 # Lan dns
;; connection timed out; no servers could be reached
❯ dig +short www.google.com @2606:4700:4700::1111 # External dns
;; connection timed out; no servers could be reached
If I disable the dns_int firewall rule, DNS requests over ipv6 work with no problem:
Ok I discovered the problem.
Given my devices have GUA ipv6 addresses they are seding DNS requests through the address related to WAN6 interface (GUA).
The problem is that the firewall rule in the documentation is not specifying any dest_ip, so, by default nftables redirects the request to local device through same interface that the packet was received, in this case WAN6 interface (althought it was received from LAN, but in case of ipv6 local network devices have an external address related to WAN network).
There is a specialized case of Destination NAT called redirection: it is a simple convenience which is exactly equivalent to doing DNAT to the address of the incoming interface.
It seems in this case, even option src 'lan' is specified, incoming interface for computing DNAT destination would be wan6 according to source ipv6 address of received packet (GUA ipv6 address).
My DNS server in the device it's bind and listening request from WAN6 interface (and I want to remain like that). So it was being ignored.
Adding a local dest_ip of device in the rule fixed the problem.