IMHO there is no need for any sort of DNS redirection after user authentication has taken place.
It may be hazardous even before user authentication has taken place. Even given a very low TTL, client resolvers may cache answers returned during that initial authentication.
We of course redirect UDP/TCP 53 to one of our servers along with 80 (http) 443 (https) 8080, 3128 (proxy) to the local hotspot *before* any authentication has occurred, but once this is completed the only reason any guest would use the local DNS server is if they were assigned a DHCP address.
Which, presumably, many/most of them are. Supplying a functional DNS server shouldn't be that difficult, but real world experience shows just how well some operators run these services.
As far as our Routerboard/Mikrotik setup works, it'll masquerade for any non standard IP addresses that appear on the network (guests with static ip's assigned, corporate laptops etc) but once again after the authentication stage anything is allowed to pass unhindered.
The only redirection that is used after authentication is for port 25 as 90% of user trying to send mail out via port 25 have no idea how to change their mail server, let alone why they might need to. It can be an issue as some systems use authentication on port 25.
Sounds like an opportunity for a custom proxy. Clients that can successfully authenticate to an external mailserver on 25 are probably by definition nonproblematic. The remainder probably deserve to get jammed through an aggressive spam, virus, and other-crap filter, with in-line notification of rejections. You can do some other sanity stuff like counting the number of hosts contacted by a client; anything in excess of a small number would seem to be a good indicator to stop. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.