Another solution to actually hijack the requests and redirect them to OpenWrt's dnsmasq. From there the query is forwarded as usual to the piholes.
https://openwrt.org/docs/guide-user/services/dns/intercept
It has the disadvantage that all requests are seen as coming from OpenWrt, so statistics are useless.
My solution is using DNAT on the not allowed packets and sending them to pihole.
#
# DNS HIJACK
#
iptables -t nat -N dnshijack
# log packet - troubleshooting, remove "#"
#iptables -t nat -I dnshijack -j LOG --log-prefix "dnshijack4"
# send to pihole
iptables -t nat -A dnshijack -j DNAT --to-destination 10.0.2.2
# allow the PiHoles
iptables -t nat -A prerouting_lan_rule -m mac --mac-source aa:bb:cc:dd:ee:ff -p udp --dport 53 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -m mac --mac-source aa:bb:cc:dd:ee:ff -p tcp --dport 53 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -m mac --mac-source aa:bb:cc:dd:ee:00 -p udp --dport 53 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -m mac --mac-source aa:bb:cc:dd:ee:00 -p tcp --dport 53 -j ACCEPT
# allow queries for local addresses
iptables -t nat -A prerouting_lan_rule -p tcp --dport 53 -d 10.0.2.1 -j ACCEPT
iptables -t nat -A prerouting_lan_rule -p udp --dport 53 -d 10.0.2.1 -j ACCEPT
# send the rest to PiHole
iptables -t nat -A prerouting_lan_rule -p udp --dport 53 -j dnshijack
iptables -t nat -A prerouting_lan_rule -p tcp --dport 53 -j dnshijack
2.1 is the OpenWrt router and 2.2 a pihole DNS.
You can disable the LOG line in the hijack chain to decrease logs, but it can be useful for testing and troubleshooting.