In case someone wanders by this thread and needs help, I think I've come up with a good solution that's simple and seems to solve the issue for all internal utilities/methods that generate DNS traffic (and probably all other types as well). My issue stems from the fact that I need it to go over IPSEC tunnels, which are policies, not routes, so it fixed the issue for me, but I'd suspect it's close to, if not dead on, what you need.
Please read what you can and comment in case there are some caveats I haven't explored or thought of yet.
viewtopic.php?f=2&t=177344
>> Quick Update: Since it's a big post with multiple issues encountered and solved, use the last code snippet in my original post, where I set a route to use the main bridge, that scoops up this internal traffic and puts it in the path of the IPSEC policy matchers or at least sets it to go out the main NAT/route if not. The solution mentioned there by pe1chl is useful to fix the IPSEC issues, but this solves other problems for what I'll call "undefined" traffic where a source address is not explicitly defined or selected.