Domain Name System

How to whitelist mac addresses in ipchain?

Preamble
There is a "family" Yandex-dns, for which a second dnsmasq instance is running on the router and ipchains rules are configured that transparently proxy all connections from these hosts anywhere to the 53rd port of this dnsmasq instance.
These rules are written through uci, and in real ipchains they look like more or less like this:

iptables -t nat -A zone_lan_prerouting -p udp -m id --id 0x66773300 -m udp --dport 53 -m mac --mac-source XX:XX:XX:XX:XX:XX -m comment --comment family-yandex-dns -j DNAT --to-destination 192.168.1.5:65053
iptables -t nat -A zone_lan_prerouting -p tcp -m id --id 0x66773300 -m udp --dport 53 -m mac --mac-source XX:XX:XX:XX:XX:XX -m comment --comment family-yandex-dns -j DNAT --to-destination 192.168.1.5:65053

(and so on for a couple of rules for each host).
It turns out a kind of "black list" - all network hosts can directly go to the Internet, except for the hosts explicitly specified in the rules (children's devices), which always go through the backup dns and from there to the "family" dns.
Plot
I would like to do the opposite. So that all hosts are proxied to the family dns by default, except for a select list of those who can go anywhere directly.
Modify the rules above by prefixing the poppy address with ! if it doesn't work - they don't give De-Morgan's rules. In other words - in this case, between the rules should be "OR", not "AND".
It is also impossible to register several poppy addresses in one rule.
And what to do?
It begs the idea to somehow mark traffic for "white" hosts, and later, depending on the marking, either let it go directly to the Internet or proxy it. But there is nothing but thought; I'm not a sysadmin and have absolutely no idea how to do this. In addition, it would be better to do this through uci, and not directly climb into the iptables rules.
Or maybe something else is needed?