For those of you who run multiple network segments/vlans, how do you guys run your DNS filter(s)? Do you have one filter to rule them all, or do you have different filters for each segment? Or just do this on the client side?
Just curious what other ways of doing this are (not looking for religious debates). I have always used bind, but it looks like pi-hole does this to some degree and so does DNSBL in pfblockerNG.
Also curious if this setup is in high demand?
DNSBL has its limitations when it comes to granularity. In the production world I use client side filtering because we have a lot of work from home people. Bitdefender is what we use. That said though if you wanted an alternative to this there is a product called nxfilter. This is an excellent way to use DNS block for on site and remote workers. You can install a client if you want. There are multiple ways to set it up and you can get as granular as you want.
I am using different DNS servers for most VLANS.
Default LAN is fully filtered with Snort/Pi-Hole/Unbound/…
One VLAN is unfiltered to comply with the WAF. Something not working? Use the SSID for that VLAN. 
Guest VLAN is more isolated and is using OpenDNS.
Etc.
Is nxfiltter good? It’s not open source and the website seems….interesting.
How legitimate is it?
I’ve used it and it is legit. Jeff from craft computing used it at one point in his videos.
Thanks for the info. Watched that video and it does look slick. Filtering based on time is one I have not thought about, I’d have to create a systemd timer for that (if the need arose). I imagine nxfilter can be setup per/vlan(s), so you don’t have to mess around with mac addresses and dhcp ranges.?. The control freak in me probably couldn’t get comfortable with this, but that is my problem.
Filtering on the client side makes sense too. Especially bundling DNS in with other admin/security stuff the client agent does. Gateway filters can be simpler after that.
I am pretty sure you can do it per IP subnet. I think the way it works is you define the starting range and it determines the rest of the subnet.
It’s been a while since I set one up and I think Jeff mentioned it in his video. I can’t remember.