A dedicated offline switch is so much simpler than VLANs, both to configure, use and understand.
I'd use the same software stack on either a linux machine that's on that LAN, or just use a raspberry pi.
I'd basically run the entire network part with dnsmasq.. You don't need anything else for DHCP and DNS. You don't even need to mess with iptables since you don't want packets leaving that LAN.
If you're running the wires (and how many wires are we talking here? 24 or less i bet) ... then the simplicity is worth much more IMO.