Можно ли использовать запрет для DNS маршрутизации, без изменения трафика?

[RadaGum]

Подскажите пожалуйста, можно ли использовать запрет для DNS маршрутизации, без изменения трафика? Суть в чем, я хочу использовать user-hostlist списки и GETLIS, а так же ipset списки, но так чтобы пакеты в нем не менялись, завернуть всё это хочу на свой VPS сервер, указав интерфейс. Мне удобна логика работы с запретом по внесению доменов для обхода трафика, BGP не совсем удобен для меня.

Сейчас я попытался это реализовать в таком конфиге, но ничего не работает.
Использовал WAN как VPN до VPS - OPENWRT_WAN4="WGEasy"
И очистил правила
NFQWS2_OPT="
--filter-tcp=80 --filter-l7=http --new
--filter-tcp=443 --filter-l7=tls --new
--filter-udp=443 --filter-l7=quic <HOSTLIST_NOAUTO>

# this file is included from init scripts
# change values here

# can help in case /tmp has not enough space
#TMPDIR=/opt/zapret2/tmp

# redefine user for zapret daemons. required on Keenetic
#WS_USER=nobody

# override firewall type : iptables,nftables,ipfw
FWTYPE=nftables
# nftables only : set this to 0 to use pre-nat mode. default is post-nat.
# pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log
#POSTNAT=0

# options for ipsets
# maximum number of elements in sets. also used for nft sets
SET_MAXELEM=522288
# too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough
# too large hashsize will waste lots of RAM
IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
# dynamically generate additional ip. $1 = ipset/nfset/table name
#IPSET_HOOK="/etc/zapret2.ipset.hook"

# options for ip2net. "-4" or "-6" auto added by ipset create script
IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
# options for auto hostlist
# NOTE : in order for these adjustment to work it's required to redirect enough starting packets
# NOTE : set PKT_IN, PKT_OUT variables appropriately
AUTOHOSTLIST_INCOMING_MAXSEQ=4096
AUTOHOSTLIST_RETRANS_MAXSEQ=32768
AUTOHOSTLIST_RETRANS_RESET=1
AUTOHOSTLIST_RETRANS_THRESHOLD=3
AUTOHOSTLIST_FAIL_THRESHOLD=3
AUTOHOSTLIST_FAIL_TIME=60
AUTOHOSTLIST_UDP_IN=1
AUTOHOSTLIST_UDP_OUT=4
# 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
AUTOHOSTLIST_DEBUGLOG=0

# number of parallel threads for domain list resolves
MDIG_THREADS=30
# EAI_AGAIN retries
MDIG_EAGAIN=10
# delay between EAI_AGAIN retries (ms)
MDIG_EAGAIN_DELAY=500

# ipset/*.sh can compress large lists
GZIP_LISTS=1
# command to reload ip/host lists after update
# comment or leave empty for auto backend selection : ipset or ipfw if present
# on BSD systems with PF no auto reloading happens. you must provide your own command
# set to "-" to disable reload
#LISTS_RELOAD="pfctl -f /etc/pf.conf"

# mark bit used by nfqws to prevent loop
DESYNC_MARK=0x40000000
DESYNC_MARK_POSTNAT=0x20000000

# do not pass outgoing traffic to nfqws not marked with this bit
# this setting allows to write your own rules to limit traffic that should be fooled
# for example based on source IP or incoming interface name
# no filter if not defined
#FILTER_MARK=0x10000000


NFQWS2_ENABLE=1
# redirect outgoing traffic with connbytes limiter applied in both directions.
NFQWS2_PORTS_TCP=80,443
NFQWS2_PORTS_UDP=443
# PKT_OUT means connbytes dir original
# PKT_IN means connbytes dir reply
NFQWS2_TCP_PKT_OUT=20
NFQWS2_TCP_PKT_IN=10
NFQWS2_UDP_PKT_OUT=5
NFQWS2_UDP_PKT_IN=3
# redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
# normally it's needed only for stateless DPI that matches every packet in a single TCP session
# typical example are plain HTTP keep alives
# this mode can be very CPU consuming. enable with care !
#NFQWS2_PORTS_TCP_KEEPALIVE=80
#NFQWS2_PORTS_UDP_KEEPALIVE=
# use <HOSTLIST> and <HOSTLIST_NOAUTO> placeholders to engage standard hostlists and autohostlist in ipset dir
# hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
# <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
NFQWS2_OPT="
--filter-tcp=80 --filter-l7=http <HOSTLIST> --new
--filter-tcp=443 --filter-l7=tls <HOSTLIST> --new
--filter-udp=443 --filter-l7=quic <HOSTLIST_NOAUTO>
"

# none,ipset,hostlist,autohostlist
MODE_FILTER=hostlist

# donttouch,none,software,hardware
FLOWOFFLOAD=hardware

# openwrt: specify networks to be treated as LAN. default is "lan"
OPENWRT_LAN="lan"
# openwrt: specify networks to be treated as WAN. default wans are interfaces with default route
OPENWRT_WAN4="WGEasy"
OPENWRT_WAN6="WGEasy"

# for routers based on classic linux. has no effect in openwrt.
# CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
# or leave them commented if its not router
# it's possible to specify multiple interfaces like this : IFACE_WAN="eth0 eth1 eth2"
# if IFACE_WAN6 is not defined it take the value of IFACE_WAN
#IFACE_LAN=eth0
#IFACE_WAN=eth1
#IFACE_WAN6="ipsec0 wireguard0 he_net"

# should start/stop command of init scripts apply firewall rules ?
# not applicable to openwrt with firewall3+iptables
INIT_APPLY_FW=1
# firewall apply hooks
#INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret2.hook.pre_up"
#INIT_FW_POST_UP_HOOK="/etc/firewall.zapret2.hook.post_up"
#INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret2.hook.pre_down"
#INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret2.hook.post_down"

# do not work with ipv4
#DISABLE_IPV4=1
# do not work with ipv6
DISABLE_IPV6=1

# drop icmp time exceeded messages for nfqws tampered connections
# in POSTNAT mode this can interfere with default mtr/traceroute in tcp or udp mode. use source port not redirected to nfqws
# set to 0 if you are not expecting connection breakage due to icmp in response to TCP SYN or UDP
FILTER_TTL_EXPIRED_ICMP=1

# select which init script will be used to get ip or host list
# possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh
# comment if not required
GETLIST=get_antizapret_domains.sh

[bol-van]

Тут все очень непросто.

Заворот средствами firewall по типу DNAT всегда происходит прямо с первого пакета.
Либо так, либо заворота вообще не будет, тк нельзя в живом tcp переписать ip или порт - он сломается.
А хост узнается уже после нескольких пакетов.

xray это умеет, но именно потому что это прокси, а не пакетный манипулятор.
он умеет задерживать подключения, выполнять сниффинг, делать dest override

если же есть kernel ipset, то его легко завернуть средствами firewall и ip rule
совать туда результаты ресолва доменов можно по классическим и старым рецептам - через dnsmasq