Hi,
thanks for your explanation which solves / explains a different problem with the split-tunnel (policy mode manual) setup. I would have liked that once the VPN is established every DNS query goes to the DNS provided by the VPN connection. I solved this by distrubting that DNS server via DHCP to the clients attached to the AXT1800. While this is not an ideal solution it works for this specific setup.
However the issue I described is a different one. When in manual Policy Mode all DNS queries sent by a CLIENT directly to a Server behind the VPN-tunnel gets dropped by the AXT1800 (as in it never reaches the other router). Pinging the very same IP just works fine, and once I switch to the “all" targets” policy mode DNS requests no longer get dropped and are received by the DNS server behind the tunnel. The AXT1800 internal DNS-server is not used in this setup (see above). Also the AXT1800 also is unable to reach the DNS behind the VPN in the manual policy mode.
However I found this thread MUDIV2 4.8.3 beta issues - #4 by will.qiu basically describing the same issue. So I downloaded the nightly build of the 4.8.3 beta for the AXT1800. After the update (and after switching the policy mode around, so the IP Tables rules get recrated) it immediately started working in manual policy mode.
When comparing the “settings backup” from LuCI the /etc/config/firewall enables the “*_drop_leaked_dns" rules.
I’m glad the latest beta fixes the problem. Now I’m waiting for the stable 4.8.3 release. I’ll also consider your proposed changes to use the AXT1800 DNS server for requests again!