Maybe anyone can add more information about that…
Well, if I look at the firewall rules DNSDirector creates they are only applied for br+ interface devices. That would be your lan and guest wifi.
Further firewall rules uses devices mac address to redirect specific mac addresses to selected dns service.
When connecting into your router via Wireguard, you won't be a part of lan (br+) instead you would be on a standalone interface (wgs1) that have access to lan.
So if you take your device outside of your lan and connect into your router via Wireguard, your router will not recognize it as the same device. It will not be on the same interface and it will not use the same mac address. Due to this, it will no longer fall under DNSDirector rules.
When you generate the client config and scan the qrcode (or import the file) to your client Wireguard include a DNS entry which tills the client which dns service they should use when connected. It's usually set to the router itself. Problem is that since DNSDirector doesn't intercept these they will go to your router dnsforwarder (dnsmasq) which gets dns from wan dhcp (or if you user specified it)
Normally you can change this in the client wireguard app. I know on Android I can click on an imported tunnel to view info about it, and from there I can also edit the tunnel (pen-icon). Here there is a DNS field, pointing to my router. You could put whatever dns service you would like here. Save, exit and start the tunnel. Your change will be persistent.
I imagine it's similar on i.e windows and other.
If you can't edit the tunnel on your client app, instead of scanning the qrcode, use the option to obtain config file instead. Before importing the config, edit it with I.e notepad and change the
DNS = to point to whatever dns you would like your device to use. Save the file and then import it to your client.
