Fw4 and DNS traffic hijacking

Does anybody notice that the firewall sample to intercept DNS on the wiki doesn't work?

# Intercept DNS traffic
config redirect 'dnat_hijack_dns'
	option name 'Hijack DNS queries'
	option enabled '1'
	option target 'DNAT'
	option family 'any'
	list proto 'tcp'
	list proto 'udp'
	option src 'users' # must not have source '*' for DNAT target
	option src_dport '53'

I tried to set a custom DNS settings on my PC and it was not intercepted by OpenWrt.

I also modify the above example a little to intercept insecure HTTP traffic:

config redirect 'dnat_hijack_http'
	option name 'Hijack HTTP traffic'
	option enabled '1'
	option target 'DNAT'
	option family 'any'
	list proto 'tcp'
	list proto 'udp'
	option src 'users'
	option src_dport '80'

Visiting a random http:// website does not take me to the LuCI web interface.

The equivalent LuCI configurations do not look right either:

image

The Match section reads: "Incoming IPv4 and IPv6, protocol TCP, UDP From users to this device, port 53". Why "to this device"? It should be "to any zone" instead.

It works just fine on my router. And that's how it should look in LuCI.

Please post output of

ubus call system board

install luci-app-https-dns-proxy, it will configure everything itself