[RadTunesly]

I'm running DD-WRT (v3.0-r59369) on a Netgear R7000. I'm using it as a Wireguard server so I can access my server from outside my LAN securely and also a Wireguard client so all my home traffic runs through NordLynx.

To achieve this I have PBR on the NordLynx tunnel:
Source Routing (PBR): Route Selected Sources via WAN
Source for PBR: sport <wireguard server listening port>

I also have two piholes on my network that I use for resolving queries to local network services via a reverse proxy. I use Quad 9 as my upstream with DNSSEC enabled on the piholes.

My DD-WRT router is serving as my DHCP server with static leases for all local devices. DNSmasq is enabled with the following Additional Options so I can get DNS data for each device on the network by name:
dhcp-option=br0,6,<pihole 1 IP>,<pihole 2 IP> (wired)
dhcp-option=wl0,6,<pihole 1 IP>,<pihole 2 IP> (wireless 5g)
dhcp-option=wl1,6,<pihole 1 IP>,<pihole 2 IP> (wireless 2.4g)

This setup is currently working except I have DNS leaks.

Using DNSleaktest.com, all devices on my LAN are showing my Nord VPN as my outgoing IP but I'm getting unexpected results for DNS. Sometimes Cloudflare servers, sometimes my ISP's DNS servers and on my mobile I'm getting my mobile data provider's DNS servers.

For the NordLynx tunnel, I have their DNS IP listed next to "DNS Servers via Tunnel".

What I'm hoping to achieve is all for outgoing DNS queries to use NordVPN's DNS servers and all queries for my local network devices to use the piholes (including those coming through my Wireguard server). I'm not sure if this needs to be defined in my DD-WRT settings or in my pihole settings. If it is DD-WRT that can achieve this, do you have any advice on what needs changing?

Many thanks.