Could a rogue router direct internal traffic to an outside rogue DNS server? How?
Yes, the rogue router can assign a false DNS server to internal hosts as part of the SLAAC attack. A false DNS server would allow an attacker to redirect all internal traffic to any number of phishing sites.