@richpriest yes, I did the same!

After wasting 1 year of my life with TP Link, I sold my device on Ebay, moved on to Ubiquity (if you want less fuss, go with Asus).

TP Link cannot provide support (my BE65 got 1 firmware  upgrade across the whole year) .. and treats their premium products like the cheap product lines.

Dont waste your time, give them to someone else who are not enthusiast or wants to play with their devices.

I'm also thinking about changing to some other mesh devices, since I can't use the guest network without those settings available, and because @TP-Link didn't even care about this since my last post, not to mention the OP and hundreds of other users... 

It's actually a matter of users' networks safety!

  @richpriest Does anyone know of a brand/model that would work for what we need?

  Hi, 1+ from my side for this feature. Same usecase as most of you (pi hole, guest and isolated IOT network on the Deco BE65). In my opinion its relatively easy to implement such a feature. The only alternative i have in mind are multiple subnets with vlan to subnet mapping and  mabye intervlanrouting (FW). I would really appreciate to have the possibility to configure a custom DNS Server for Guest and IOT Network.

  @richpriest this is just what I need, let me just type my local DNS IP in the guest network settings that it will just work.

First of all, +1 for wanting this feature.

With that out of the way, here are two work arounds:

1. If your DNS server only does DNS, like say pi-hole. Host the DNS server on the WAN side of your Deco. Your internet modem might already have multiple LAN ports and it's own DHCP server that can handle this. Alternatively you can run double NAT with an "outer" router which has the WAN port connected to your internet, and LAN ports connected to Deco and DNS server. Make sure DNS server has static IP and point both primary and secondary DNS server on the Deco to it.

2. If like me your DNS server also handles other things, such as a Home Assistant server handling your home automation but also hosting your AdGuard instance. Then you will need two NICs on this host. One NIC connects to your Deco as the primary DNS server handling the main network. The other NIC needs to be connected to WAN side such as the outer router on a double NAT as per work around 1. For the two IPs set one as primary DNS and one as secondary DNS. That way this host has both connection to the main LAN network as well as outside internet without going through Deco. Make sure there's no packet forwarding setup between the two NICs so they don't become a bridge. It's critical you don't try to connect the second NIC to the guest network via some kind of WIFI card - guest on the guest network cannot reach each other!

Any OS that automatically goes for secondary DNS when primary DNS is not responding (eg blocked URL) will then go around and still end up at your DNS server, thus no leak around unlike with a public DNS. And for guests that would be their one and only route to the DNS server.

  @Temstar Thanks, these are the best workaround solutions that I've seen so far. It'd be really nice if this feature would get implemented, but this is probably the next best option. Since I'm already running 2 separate pi-holes for redundancy, I'm planning to move one of them to the WAN side and list it as the secondary DNS.