Hereís another option which is similar, but a slightly different approach. Itís working well for me, but I would certainly be interested in feedback from others.

When setting up my system for DNS, I had two main goals:
  • Only use a DNS server I specify (lots of devices ignore the DNS servers you specified in the Interface Configuration)
  • Send all DNS requests through one of my Tunnel VPNs, even if the device doesnít use the VPN tunnel for traffic. I have some streaming devices that go through a VPN tunnel and some that donít, but I wanted all DNS lookups to go through a tunnel.

Using the DNS override did not work for me - the DNS requests didnít go through the VPN tunnel of choice.

Interestingly, even though I donít use my VPN providers DNS servers, it doesnít detect a leak since all of the DNS traffic is going through the VPN tunnel before it hits the DNS server I specify

Config-->Network-->Port Forward Rules

Rule 1:
Screen Shot 2019-09-06 at 1.14.05 PM.png

Rule 2:
Screen Shot 2019-09-06 at 1.14.28 PM.png

Apps-->Tunnel VPN-->Rules

Screen Shot 2019-09-06 at 1.14.59 PM.png

ExpressVPN DNS Leak Test Result:
Screen Shot 2019-09-06 at 1.20.54 PM.png