How is Pi-hole/embedded dnsmasq to distinct between the two VLANs with only those two new tag names (vlanmain & vlaniot)?
In below Pi-hole v5 example with a Pi-hole host thats got multiple interfaces, the tag is set to the physical interface name (eth1) to distinct between the two:
You cant have multiple DHCP ranges if the Pi-hole host only has one interface bc of the broadcast nature of DHCP.
DNS and HTTP etc are all unicast.