if you are the dns server and default gw... then ( ignoring https for a second ) things are much easier...
- hijack all dns
- dnsmasq return your ip for all domains ( wildcard )
or
iptables rewrite/redirect all outgoing 80 to your internal router ip...
use both... is preferable... as not everything uses dns... and dns(oH/oT) is less hijackable these days...