I do not believe you can’t do this using the GUI. I do not understand Linux Iptables enough to be useful to you, but I think this is where you need to go. In other words, you need to craft a set of rules to put into firewall.local to do that.
What you could do in alternative, is to forget about honeypotting the dns. Just create a NAT rule to rewrite all the traffic of the green network on the DNS port toward the firewall. This will transparently forward all the green zone DNS traffic to the Unbound server regardless of the initial destination.
I created the rule to redirect the DNS traffic a while ago but it was not working.
Not sure if it is working 100% now. I see some traffic redirected but not all.
What I see is that at least all the NTP traffic, ( UDP port 123) seems to be redirected to IPfire,
This wasn’t working for a while, I guess sometimes recently it started working.
DNAT rules are redirecting only traffic that are send to IPFire’s IP’s as destination. It not work for other servers like 8.8.8.8 because the destination not match.
Try to adapt to your system and add the following rule and set it to occur before the redirect rule.
EDIT: I am not sure if this rule is necessary when the redirect rule is in effect. It used to be indispensable when the redirect rule was not functional due to “destination: any” not being implemented in WUI, but some time last year this was changed (as documented in the history of the WIKI page). I hope someone more competent than I am can clarify this.