PfSense DNS leaks on Surfshark VPN

I’m facing some weird issues with DNS configuration on pfsense. My goal is to configure each subnet to use different VPN connection and DNS, but I’m getting only DNS leaks on Surfshark VPN.

There are 3 OpenVPN Clients:

(1) NordVPN_CH. Used for pfsense as default DNS. System/General Setup looks like this:

DNS Server: 103.86.99.100, Gateway: (1)
DNS Server: 103.86.96.100, Gateway: none
DNS Server Override: unchecked
DNS Resolution Behavior: Use local DNS (127.0.0.1), ignore remote DNS Servers

(2) NordVPN_CH_NL (routed over double VPN). Used for subnet A. DHCP Server settings looks like this:
DNS Server: 103.86.99.100

(3) Surfshark_UK. Used for subnet B. DHCP Server settings looks like this:
DNS Server: 1.1.1.1

DNS Resolver is ON:

Network Interfaces: All
Outgoing Network Interfaces: NordVPN_CH
DNS Query Forwarding: checked
DHCP Registration: checked
Static DHCP: checked

The rest is unchecked.

DNS Forwarder is OFF.

Firewall rules are configured in the same way for each connection:

Interface: (1), (2) or (3)
Address Family: IPv4
Protocol: any
Source: (1), (2) or (3)
Destination: any
Tag: VPN_ONLY
Gateway: (1), (2) or (3)

Tag is used for Floating rule, to prevent traffic going through WAN if VPN connection goes down. This Rule looks like this:

Action: Block
Interface: WAN
Direction: any
Address Family: IPv4
Protocol: any
Source: any
Destination: any
Tagged: VPN_ONLY

NATing (Firewall/NAT/Outbound) is configured in the same way for each connection.

Problem:
(1), (2) work without issues, but (3) is leaking DNS (country of my origin connection).

I already tried:

  1. Using 1.1.1.1 DNS on (2) - works fine, Cloudflare DNS Servers are in same country (NL).
  2. Using 103.86.99.100 DNS on (3) - still leaking.
  3. Changing FW Rules for subnet B to connect through NordVPN_CH_NL - works fine.
  4. Coping all rules from subnet A to subnet B (changing only Interface, Source and Gateway) - still leaking.

Removing DNS from DHCP setting in subnet B allows me to use default DNS Server (same as (1)), but that doesn’t solve the problem for me.

The only difference in OpenVPN Client configuration between NordVPN and Surfshark is:
Server Certificate Key Usage Validation: checked (in Surfshark)

Are there some extra options for Surfshark VPN, that I missed?

I use dnscrypt-proxy with DoH on my OPNsense router. It’s basically a VPN for your DNS. If anything escapes from VPN on PC, the router will get it. It’s not anonymous, though. But, neither is a VPN.