KidSafe (or Guest) WiFi, Forced SafeSearch and Adblock

In short; I side-stepped it. I use the option noresolv '1' option to ensure each subnet uses only those DNS resolvers listed in list server

Here are my (slightly truncated; to remove irrelevant and sensitive config) configs:

/etc/config/dhcp: you'll see that I'm actually forwarding requests from the FamilySafe net to Unbound which is set to CleanBrowsing's family filters as mentioned in my previous post. This is completely optional and was an 'intellectual exercise' to get DoT working. You could just list CleanBrowsing's DNS addresses here, directly. Note that Google, Bing and Youtube are set to the Safe Mode by this filter, so I don't have to manage this myself
config dnsmasq 'main'
	option domainneeded '1'
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option serversfile '/tmp/adb_list.overall'
	option nonwildcard '1'
	option localservice '1'
	list notinterface 'guest'
	list notinterface 'family'
	option dnssec '1'
	option dnsseccheckunsigned '1'
	option rebind_protection '1'
	option noresolv '1'
	list server '127.0.0.1#5453'

config dnsmasq 'guest'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/guest/'
	option domain 'guest'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.guest'
	option serversfile '/tmp/adb_list.overall'
	option nonwildcard '1'
	option localservice '1'
	option noresolv '1'
	list interface 'guest'
	list notinterface 'lo'
	option dnssec '1'
	option dnsseccheckunsigned '1'
	list server '185.228.168.9'
	list server '185.228.169.9'

config dnsmasq 'family'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/family/'
	option domain 'family'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.family'
	option serversfile '/tmp/adb_list.overall'
	option nonwildcard '1'
	option localservice '1'
	option noresolv '1'
	list interface 'family'
	list notinterface 'lo'
	option dnssec '1'
	option dnsseccheckunsigned '1'
	list server '127.0.0.1#53535'

config dhcp 'lan'
	option instance 'main'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option start '100'
	option limit '150'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guests'
	option start '100'
	option limit '150'
	option instance 'guest'
	option interface 'guest'
	option leasetime '1h'

config dhcp 'familysafe'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option instance 'family'
	option interface 'family'
/etc/config/network
config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd2c:dd09:d634::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option ipaddr '192.168.100.1'
	option ip6assign '60'
	option netmask '255.255.255.0'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'pppoe'
	option username ''
	option password ''
	option ipv6 'auto'
	option peerdns '0'
	option dns '84.200.69.80 84.200.70.40'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	option dns '2001:1608:10:25::1c04:b12f 2001:1608:10:25::9249:d69b'

config interface 'streaming'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option type 'bridge'

config interface 'guest'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.0.0.1'
	option type 'bridge'

config interface 'MODEM'
	option proto 'static'
	option ifname 'eth0.2'
	option ipaddr '192.168.2.2'
	option netmask '255.255.255.0'

config interface 'family'
	option proto 'static'
	option ipaddr '172.16.1.1'
	option netmask '255.255.255.0'
	option type 'bridge'

config interface 'LTE'
	option proto 'ncm'
	option ifname 'wwan0'
	option device '/dev/ttyUSB0'
	option mode 'preferlte'
	option apn 'three.co.uk'
	option dialnum '*99#'
	option ipv6 'auto'
	option metric '40'
	option delegeate '0'
	option disabled '0'
	option auto '0'

Finally, I have a couple of firewall rules to hijack DNS requests in order that all devices use the DNS servers that I want them to, and this also forces them through the adblock filter:

/etc/config/firewall
config redirect 'adblock_dns'
	option name 'Adblock DNS'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option dest_ip '192.168.100.1'

config redirect 'adblock_dns_guest'
	option name 'Adblock DNS Guest'
	option src 'guest'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option dest_ip '10.0.0.1'

config redirect 'adblock_dns_family'
	option name 'Adblock DNS Family'
	option src 'family'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option dest_ip '172.16.1.1'

Hope that helps.