AGH DNS over VPN tun?

I have an OpenWRT router configured almost exactly the way I want it, except for one thing.

I have AGH as my DNS resolver for my home network, and I have 2 subnets - one is standard (LAN -> WAN), the other is for NordVPN (VPNLAN -> VPNWAN [tun0]).

I want both of these to be forced to resolve through AGH, and have that working.

However, the problem I have is that AGH is resolving outside of the VPN tunnel, and for NordVPN I have a static IP through them, which means that when using their DNS servers inside the tunnel, it will track to a DNS server IP correctly (so stuff like Amazon Prime Video will work), but when used outside the tunnel, it doesn't work, and things don't function right.

I am able to see this problem through the use of - which shows a different DNS server when resolved inside the tunnel vs out. If I manually configure my client to use the Nord DNS servers, everything works. If I use the DNS server supplied by my router (which would be AGH), it doesn't work. The only difference I believe is how the Nord DNS servers are being queried.

So, I am looking for a way to get AGH to send its upstream DNS requests through the VPN tunnel. I have tried a PBR rule that picks up on remote port 53, and sends to the tun device. This doesn't work.

I'm wondering if there's a custom fw4 nft rule I can do to accomplish what I want, and/or a way to configure through Luci? I am not familiar with nft enough to do it myself, and I've learned to be careful with the firewall rules.

I can almost get there with the firewall config file, or at least, the way I would think it should work, except I can't make the rule be for traffic from the router to WAN, it seems like all the port forward stuff works off the notion of from not the router TO the router (or through the router).

Set the upstream AGH home DNS server to route via the tunnel when the tunnel is up.
I use in this example but substitute for the AGH DNS server, if necessary you can set multiple DNS servers.

In the OpenVPN config set:
route vpn_gateway
Now all traffic to is routed via the VPN tunnel

There is no "upstream" server separate from the router. I don't wanr everything on the router to end up through the VPN. AGH is on my router. I would need to restrict such things to requests from the router outgoing to 53. I am blocking incoming requests from the internet to port 53, because I don't want anyone else to use my DNS server.

If it was sepatate, I think it would be an easier configuration. But its on the router, so i am trying to get it to route the outgoing remote port 53 requests from the router (which would be from AGH) to go through the VPN.