Technically, tweaking your DNS resolver to lie (and/or to log) is much easier and faster (and waaaaay less expensive) than setting up a packet interception and rewriting device at line rate.
It is just a static /32 route for well known DNS resolvers to the ISP resolver. It is free and trivial. To make your resolver reply with the correct IP you simply add all the well known /32 addresses to the localhost interface. To get any service instead of just well known ones, you can use source routing based on the port nummer 53. Direct this to a Linux server that will NAT the traffic towards the ISP DNS. This is also trivial and free, provided your routers support source routing (ours do). Detectable yes, but also hard to escape for the average user. They will need to go full VPN. Running your own resolver will not work. Regards Baldur