I use Control D and a utility they have running on OpenWRT to send Encrypted DNS for all clients on the device.
Just seems strange that all devices go through the VPN to request DNS when the VPN is set to CLIENT DEVICE POLICY.
OK thanks for the info on Tailscale - I thought it would be OK to use WG Client and Tailscale together as I thought it Tailscale was more like a WG server replacement, and we have the option to run both server and client.
I do something similar but I have a custom dnscrypt-proxy2.toml for my Encrypted DNS account. dnscrypt-proxy2 is the process behind the GL GUI’s Encrypted DNS. The .toml is the configuration file. ls -l /etc/dnscrypt-proxy2/