DNS for multiple VLANs when LAN routes through VPN

I have configured my router to have multiple VLANs, each with a distinct SSID, some of which route via an OpenVPN tunnel. At the moment all VLANs behave as expected: for example a device connecting to the guest VLAN converses directly out through wan but a device connected to the remote VLAN sends all traffic out through the tun0 tunnel as expected. Currently lan is routed through wan, so my physical ethernet ports do not use the VPN.

My desired configuration differs from current in the following ways:

  1. I want lan to use the VPN tunnel rather than routing traffic to wan
  2. I want all clients on lan to continue to use the router for DNS resolution so that they can reach "mynas" (and other staticly-defined servers) by name rather than IP, but all other DNS queries are sent to the DNS resolvers of the VPN rather than the 8.8.x.x upstream servers
  3. Optionally, I would like to not have to use DHCP option 6 for DNS configuration; I would prefer these all point to the router and it handles resolution correctly based on the VLAN of the client.

Note that I do not mind how DNS works for other VLANs, using DHCP option 6 for these VLANs is adequate for my needs... though I would prefer not to use option 6 and rather to specify DNS on the appropriate network directly as conceptually this makes more sense to me, but this is partly just my personal flavor of OCD.

Below are my full definitions for the network, dhcp, and firewall config files, but in particular note that I am defining 8.8.8.8/8.8.4.4 for upstream DNS for anything not going through the VPN and the VPN DNS resolvers for anything routing through the VPN. Note that additional VLANs have been removed for simplicity, but they follow the same model(s) as the ones presented here and behave similarly.

I have listed upstream DNS servers on lan but I believe this should actually be pointed to the router directly or be left off altogether. However, devices connected to lan are able to successfully ping my router and "mynas" by name, so clearly lan is using the router for resolution at the moment.

Here's /etc/config/network:

config interface 'loopback'
    option device 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fdf1:91a9:b76c::/48'

config device
    option name 'br-lan'
    option type 'bridge'
    list ports 'lan1'
    list ports 'lan2'
    list ports 'lan3'
    list ports 'lan4'

config interface 'lan'
    option device 'br-lan'
    option proto 'static'
    option ipaddr '10.0.0.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    list dns_search '<my fqdn>'
    list dns '8.8.8.8'
    list dns '8.8.4.4'

config interface 'wan'
    option device 'wan'
    option proto 'dhcp'
    option peerdns '0'
    list dns '8.8.8.8'
    list dns '8.8.4.4'

config interface 'wan6'
    option device 'wan'
    option proto 'dhcpv6'
    option peerdns '0'
    list dns '2001:4860:4860::8888'
    list dns '2001:4860:4860::8844'

config interface 'vpn1'
    option device 'tun0'
    option proto 'none'
    list dns '<dns server 1>'
    list dns '<dns server 2>'

config interface 'guest'
    option type 'bridge'
    option proto 'static'
    option ipaddr '10.1.1.1'
    option netmask '255.255.255.0'
    option gateway '10.0.0.1'

config interface 'remote'
    option proto 'static'
    option ipaddr '10.1.2.1'
    option netmask '255.255.255.0'
    option gateway '10.0.0.1'

Here's /etc/config/dhcp:

config dnsmasq
    option domainneeded '1'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option cachesize '1000'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
    option localservice '1'
    option ednspacket_max '1232'

config dhcp 'lan'
    option interface 'lan'
    option start '100'
    option limit '150'
    option leasetime '12h'
    option dhcpv4 'server'
    option dhcpv6 'server'
    option ra 'server'
    list ra_flags 'managed-config'
    list ra_flags 'other-config'

config dhcp 'wan'
    option interface 'wan'
    option ignore '1'

config host
    option name 'mynas'
    option mac '<mac address>'
    option dns '1'
    option ip '10.0.0.2'
    option leasetime '168h'
    option dhcp_option '6,8.8.8.8,8.8.4.4'

config dhcp 'remote'
    option interface 'remote'
    option start '32'
    option limit '223'
    option leasetime '12h'
    option dhcpv4 'server'
    option dhcpv6 'server'
    option ra 'server'
    option ra_management '1'
    list dhcp_option '6,<vpn dns addresses>'

Here's /etc/config/firewall:

config defaults
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option synflood_protect '1'

config zone
    option name 'lan'
    list network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config zone
    option name 'wan'
    list network 'wan'
    list network 'wan6'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'

<all rules snipped as not relevant to this query>

config include 'pbr'
    option fw4_compatible '1'
    option type 'script'
    option path '/usr/share/pbr/pbr.firewall.include'

config zone 'vpn1'
    option name 'vpn1'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    list network 'vpn1'

config zone 'guest'
    option name 'guest'
    list network 'guest'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'

config zone 'remote'
    option name 'remote'
    list network 'remote'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'

config forwarding
    option src 'lan'
    option dest 'wan'

config forwarding
    option src 'guest'
    option dest 'wan'

config forwarding
    option src 'remote'
    option dest 'vpn1'