I'm trying to get an isc-dhcp-server configuration to use different DNS-Servers based on the ip-address assigned.
Basically, I want some of my client marked as not-trusted, which then may not access services using the internal url.
I tried using range based pools, which do not seem to be able to handle the domain-name-servers option. I also tried using multiple subnets with the same ip/netmask configuration and a range directive, which always leeds to the untrusted dns being used. You can seen both configs below. The IP ranges are just examples, don't pay too much attention to them.

What am I not understanding correctly?

Using range-based pools

subnet 192.168.1.0 netmask 255.255.255.0 {
pool {
    deny unknown-clients;
    range 192.168.0.2 192.168.0.50;
    option domain-name-servers 192.168.0.254;
    }
pool {
    allow unknown-clients;
    range 192.168.0.100 192.168.0.150;
    option domain-name-servers 1.1.1.1;
    }
}

Using range filtered ip/netmask

# Trusted
subnet 192.168.0.0 netmask 255.255.255.0 {
    option domain-name-servers 192.168.0.254;
    deny unknown-clients;
    range 192.168.0.50 192.168.0.99;
    }

# Untrusted
subnet 192.168.0.0 netmask 255.255.255.0 {
    deny unknown-clients;
    option domain-name "1.1.1.1";
    range 192.168.0.100 192.168.0.149;
    }

Do not base your security on security through obscurity.

The proper way to configure this is separate networks (either physically or using VLAN's), with firewalls to confine users to their assigned zones.

Sure, you can use separate DNS, but you should not base your security on DNS being unavailable. Configure it properly now, before it's impossible in five years.