If this is for your guest internet traffic I am a little confused. Does it matter if you guest traffic uses a different / Public dns server to get to the internet. If they are totally separated physically or via a vlan then I am not sure of the issue. If it were me I always have control of any traffic wired or wireless within any of my infrastructure and always have firewalls in place even if it is just for guest traffic. Client isolation is turned on and the quest traffic is on a DMZ. I am a consultant and work with a lot of banks, schools and businesses and the amount of attacks has increased so much in the past couple of years that it has become a defacto standard to deploy firewalls at any business site that has access to the internet, if you are not doing this your are setting yourself up for failure. The hackers have turned their attention to the small and medium sized business as they have become more lucrative and easier to hack either via lack of security standards, phishing or social engineering and we don't do any managed customers with out certain standards in place period.