How to block certain domains for a *single* device

What i wanna achieve is behavior of luci-adblock, just adding a big list of domains to blacklist so it wont resolve, except only for single device. And rest of the connected devices using the usual DNS (DoH on

  • Ive already blocked the net address ranges with ipset, this is a secondary measure.
  • There are too many domains (entirety of facebook and affiliated domains) involved for dnsmasq-full <> ipset thing to be feasible (i think)
  • The device in question has a static lease.

Ive been pulling my hair over this all night and would appreciate any pointers.

Set up a couple of dnsmasq instances running on the same interfaces but different ports.
Redirect DNS queries with firewall by the source IP/MAC to the second instance.
Enable/disable DNS filtering for each dnsmasq instance on demand.
Note that IP sets can fit known public DoH domains, so it should also fit Facebook.