DNS highjacking without masquerading every query? Pihole

You can limit masquerading to a specific subnet with your DNS server.
But moving it to a separate subnet makes the masquerading rule redundant.

It only needs to be in a separate routed subnet.
Whether it is another VLAN or not is irrelevant.