Just to help come to a conclusion regarding the entries required, and fixing what I said earlier in the thread.
I wrote out the rules, but you can obviously shorten them with -t instead of --table, etc. Helps reading them correctly and avoid making daft mistakes like I did. 
My /etc/sysconfig/firewall.local entries now look as follows.
# Force DNS for green & tun to query the firewall, and not an outside DNS server
#ACCEPT from the following machine
/sbin/iptables --table nat -A CUSTOMPREROUTING --source 192.168.114.6/32 --protocol tcp --destination-port 53 -j ACCEPT
/sbin/iptables --table nat -A CUSTOMPREROUTING --source 192.168.114.6/32 --protocol udp --destination-port 53 -j ACCEPT
/sbin/iptables --table nat -A CUSTOMPREROUTING --source 192.168.114.6/32 --protocol tcp --destination-port 853 -j ACCEPT
#All others REDIRECT to FW
/sbin/iptables --table nat -A CUSTOMPREROUTING --in-interface green0 --protocol tcp --destination-port 53 -j REDIRECT --to-ports 53
/sbin/iptables --table nat -A CUSTOMPREROUTING --in-interface green0 --protocol udp --destination-port 53 -j REDIRECT --to-ports 53
/sbin/iptables --table nat -A CUSTOMPREROUTING --in-interface green0 --protocol tcp --destination-port 853 -j REDIRECT --to-ports 853
And under the stop section you would have
## add your 'stop' rules here
/sbin/iptables -t nat -F CUSTOMPREROUTING
Obviously you can also remove each entry one per line, but as all are reloaded according to the entries made, I see no reason for it, and probably avoids missing one.
Now when I do a lookup from the machine I allow
# nslookup slashdot.org 1.1.1.1
Server: 1.1.1.1
Address: 1.1.1.1#53
Non-authoritative answer:
Name: slashdot.org
Address: 216.105.38.15
result on tracking…
# conntrack -E -d 1.1.1.1 -p udp
[NEW] udp 17 30 src=192.168.114.6 dst=1.1.1.1 sport=59234 dport=53 [UNREPLIED] src=1.1.1.1 dst=4*.***.***.**0 sport=53 dport=59234
[UPDATE] udp 17 30 src=192.168.114.6 dst=1.1.1.1 sport=59234 dport=53 src=1.1.1.1 dst=4*.***.***.**0 sport=53 dport=59234
^Cconntrack v1.4.5 (conntrack-tools): 2 flow events have been shown.
From everyone else the same attempt will create the following track
# conntrack -E -d 1.1.1.1 -p udp
[NEW] udp 17 30 src=192.168.114.1 dst=1.1.1.1 sport=55693 dport=53 [UNREPLIED] src=192.168.114.254 dst=192.168.114.1 sport=53 dport=55693
[UPDATE] udp 17 30 src=192.168.114.1 dst=1.1.1.1 sport=55693 dport=53 src=192.168.114.254 dst=192.168.114.1 sport=53 dport=55693
[NEW] udp 17 30 src=192.168.114.1 dst=1.1.1.1 sport=55694 dport=53 [UNREPLIED] src=192.168.114.254 dst=192.168.114.1 sport=53 dport=55694
[UPDATE] udp 17 30 src=192.168.114.1 dst=1.1.1.1 sport=55694 dport=53 src=192.168.114.254 dst=192.168.114.1 sport=53 dport=55694
[NEW] udp 17 30 src=192.168.114.1 dst=1.1.1.1 sport=55695 dport=53 [UNREPLIED] src=192.168.114.254 dst=192.168.114.1 sport=53 dport=55695
[UPDATE] udp 17 30 src=192.168.114.1 dst=1.1.1.1 sport=55695 dport=53 src=192.168.114.254 dst=192.168.114.1 sport=53 dport=55695
^Cconntrack v1.4.5 (conntrack-tools): 6 flow events have been shown.
So we are now in the green, all is working as expected. With the exception of 192.168.114.6 every other machine on the LAN (and the VPN) have their DNS queries redirected (hijacked) and send to the FW.
For those redirected machines the DNS as defined in Network > Domain Name System will apply.
Edit Update, removed the udp/853 entry, DNS over TLS does not use udp but tcp. Watch the copy/past Gremlins sneak in that way.