Thanks for confirming the priority of fw4 and pbr. To me, the next question how to achieve the goal of keeping an interface banned from accessing the WAN with domain-specific exceptions?
EDIT: I read dns_ipset and have these entries but still not achieving the result. I created a new thread here.