Split tunneling sub-domains: pbr with nft sets on 22.03.5 and dnsmasq-full 2.89

Hi. I'm trying to use pbr to route requests to certain domains through my vpn (split tunneling). It all works great in general. I've had a hard time enumerating all the sub-domains that are needed, however. I've done this by parsing tcpdump output and it works alright.

An easier solution would be to set a dest_addr rule in pbr for example.com and have it work for a.example.com, b.example.com, etc. I installed dnsmask-full 2.89 with nftsets and enabled option resolver_set 'dnsmasq.nftset'. It doesn't seem I broke anything - so that's good. Everything works the same as it did with the older version of dnsmasq.

My problem is that when I set a rule with option dest_addr 'example.com' it doesn't match on 'a.example.com' and I thought it would, based on the notes here: https://docs.openwrt.melmac.net/pbr/.

What am I doing wrong? Is there a setting I've missed?
TIA.

Couple more details about my setup:

root@MainRouter:~# ubus call system board
{
	"kernel": "5.10.176",
	"hostname": "MainRouter",
	"system": "ARMv8 Processor rev 4",
	"model": "Linksys E8450 (UBI)",
	"board_name": "linksys,e8450-ubi",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.5",
		"revision": "r20134-5f15225c1e",
		"target": "mediatek/mt7622",
		"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
	}
}
root@MainRouter:~# dnsmasq -v
Dnsmasq version 2.89  Copyright (c) 2000-2022 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile

This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.
root@MainRouter:~# uci export pbr
package pbr
config pbr 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	option enabled '1'
	option webui_show_ignore_target '1'
	option resolver_set 'dnsmasq.nftset'