You can’t switch ports by DNS. (well not for today’s http(s)-based services at least; SVCB+HTTPS records probably wouldn’t help you much yet)
I personally think that it’s better to handle mess like the original question without touching DNS, directly on IP level (firewall settings). IP addresses should better route the same way from both LAN and WAN (unless blocked); otherwise I find it unnecessarily confusing. It also avoids trouble if some device/app decides to use some kind of different (“secure” / “better” / whatever) DNS, bypassing DNS from your Turris.
But I don’t know too well how these firewall things work, and I think it’s better discussed in a separate topic anyway.