Thanks for the good write-up! You need to work on your headlines. This was more interesting than you made it sound.
Wow. I just thought it was done with a built-in DNS server. That doesn't make sense when I think about it, of course. There is no built in DNS server in an access point! It must do deep package inspection of DNS and hijack requests it recognizes as itself. Not sure if that's a problem, though.