Concur with the approach of simply stating the requirements in terms of desired functionality users will experience without mention of config/settings.
I have users x and users y, I want to ensure that users X access the internet with the following limitations...................., I want to ensure users y acccess the internet with the following limitations..............
Having an understanding of the requirements without clouding the issue with router setting you may or may not be using (either correctly or appropriately) is optimal to get you to a working useful solution!!
I personally have disabled DNS from DHCP on all my devices because I don't trust ISP DNS servers which are often given by DHCP in most of networks - either directly or indirectly since gateway forwards to ISP servers (starting from fact that they're censored). It's almost never good idea to allow for ISP DNS servers so I try to force 3rd party DNS servers wherever possible. That said this network has DNSSec & DNSEnc enabled caching DNS server forwarding to 184.108.40.206 and I don't want users to send requests to 220.127.116.11 (or in fact any non-DNSSec/DNSEnc enabled server) directly. That's why I want to redirect to local, protected DNS and I don't want users who disallowed DNS from DHCP (including myself lol) to have issues with connectivity.
I use such setup for years however now I noticed issue for the first time since firewall blocks packets only after second bridge (so it works properly for all APs working as bridges that are connected directly to core router but now for the first time I used more than 1 firewalled bridge along the path and it drops packets to 18.104.22.168 when using my usual config)