Thank you for the explanation, it was most interesting, I had no idea Bedrock could be coerced into talking to java servers.

Here are a few ideas:

1. Geoblocking. Not ideal, but it can make your resolver public for fewer people.

2. What if your DNS only answers queries for a single domain? Depending on the system, the fallback DNS server may handle other requests?

3. You could always hand out a device that connects to the WLAN. Think a cheap esp32. Only needs to be powered on when doing the resolution. Then you have a bit more freedom: ipv6 RADV + VPN, or try hijacking DNS queries (will not work with client isolation), or set it as resolver (may need manual config on each LAN, impractical).

4. IP whitelist, but ask them to visit a HTTP server from their LAN if it does not work (the switch has a browser, I think), this will give you the IP to allow, you can even password-protect it.

I'd say 2. Is worth a try. 4. Is easy enough to implement, but not entirely frictionless.