Just adding my two cents, but I’ve tested VPN Policy + Custom DNS on 3 different models now and have reached the conclusion that it simply cannot work. Clients can’t get DNS resolution for any host your DNS server covers unless the router has already cached it by doing a nslookup from router CLI.