I could be wrong here, but IIRC the DHCP settings for each interface/subnet are distinct, and you can put different DNS server assignments there. That is, rather than trying to do advanced selection in the DNS server, you can do so a comparatively simple DNS assignment within each network.

Generally speaking, it's exceptionally rare that someone would need to use custom DNSmasq settings; that's why we have the warning on that page that says 'don't mess around in here'.

Depends what we're talking about with respect to DNS serving.

When a device gets a DHCP lease from NG Firewall, we give them the interface IP of the interface they're connected to as their DNS server: your computer says 'lease please?' and we respond 'sure, here's your IP address, and also please send DNS queries to my address'. You can set an override in each LAN's DHCP configuration, which changes the DNS server IP we provide as part of the lease. (That's typically useful if you have an internal DNS server.)

When DNS queries are received by NGFW, they're then sent on to whichever DNS server(s) are specified in the WAN config. So your computer says 'please take me to google.com' and NGFW asks the external DNS server for its WAN 'hey, what's the IP for google.com?'

So to jcoehoorn's point: if you have multiple LAN interfaces, each one can be set up to provide a different DNS server as part of a DHCP lease. You might have a 'normal' LAN for computers and another LAN strictly for IoT devices, for example, and you could instruct the normal LAN to send DNS queries to NG Firewall, while the IoT LAN sends DNS queries somewhere else. This may be what you're trying to do? If not, we need some more detail on what your end goal is.

What you need is Split Horizon or Split DNS. Have done these decades ago on BIND DNS and works well. dnsmasq used by Arista internally has partial support via "-y" or "--localise-queries" and populating /etc/hosts afterwards. You can try, but haven't implemented personally as it's slightly convoluted and no use case for me.