Challenge: Content-filter based on subnet =and= ad-block based on server IP without multiple instances?

Here's what I want to achieve:

I have 2 network segments. Segment 1 has mandatory content filtering via DNS blocklist. This can be easily accomplished with something like AdGuard Home. I'd create a 'persistent client' with independent settings based on subnet.

Both segments require optional ad blocking via DNS blocklist on a per-device basis. It seems that's only possible using a second DNS server address which could be entered manually into 'network properties' or equivalent. Only 2 DNS server addresses would be available in the system. The ad-block version would be handed out via DHCP. All other DNS requests would be blocked via firewall rules including a DoH IP blocklist.

No matter how I approach this, it always requires multiple program instances with redundant configuration and runtime data. I hate to reinvent the wheel, but it seems like all I need is a simple proxy that listens on 2 IPs and searches the relevant blocklists based on both server and client IP. Any non-match would be passed upstream for real DNS.

I've considered running dnsmasq (ad-block) on the primary DNS IP with AdGuard Home (content) as the upstream secondary DNS IP. You could then skip the ad-block by manually specifying the secondary DNS. The problem here is that AdGuard Home has limited support for EDNS (i.e. client subnet passthrough). AdGuard cannot currently filter the client subnet on forwarded queries because they all appear to come from the downstream server. What a mess. The only functional solution is to run 2 full-blown instances of AdGuard Home with duplicate blocklists in memory. The first instance would block both ads and content. The second instance would only block content.

Does anyone have any clever ideas? I'd prefer a local solution.

I'm basically looking for a way to pass a 'hint' into AdGuard Home to conditionally enable/disable ad blocking. I haven't tested yet, but supposedly AGH will use the X-Real-IP header of a DoH request. What if I modified the https-dns-proxy package to send Real-IP with a spoofed client IP in another subnet? AGH could then key off the subnet. To keep all the AGH stats looking pretty, I would also need a DNS proxy for reverse lookup which would recognize the spoofed subnet and return the base hostname with a possible suffix. It looks like I could also maintain the hosts file for reverse lookup. Since https-dns-proxy is a much smaller, simpler, slower-moving package, it would be less daunting than trying to compile a custom AGH.