generally speaking, you'd spare hair follicles and/or restful sleep by moving resolution elsewhere on your lan. there are countless ways to skin that cat, clearly, but i've had near zero problems with pi-hole running a local instance of unbound.
this blog attempts to clarify how the different components of / config options for, dns resolution on opnsense, interoperate. have a look if you haven't already but fwiw i surmised that dns subsystems on opnsense are convoluted at best and bordering on broken either way.
that said, you can (probably) hack something together that'll function...- have you defined a gateway for the vpn?
i couldn't understand from your post of "without setting a static ip" was intended behavior or merely the outcome of whichever tutorial you followed.
- option 1: set a static route (system > routes > configuration) for the ip addresses corresponding to your dns forwarder (e.g. 9.9.9.9), specifying the vpn gateway.
-option 2: revise gateway priorities to, in essence, force opnsense to choose your vpn gateway(s) as default (e.g. VPN_GW priority 100, WAN_GW priority 255). i'd advise this regardless if you're mitigating most wan traffic being sent in the clear.
be sure you've configured static routes for your vpn endpoints such that their traffic is sent via wan.
Firewall, further to your suggestion, I outsourced the DNS resolutions to a pi-hole (running unbound), which I installed on a 12-year old Raspberry pi 1
However, it is my understanding that the trick that solved the issue for me, was re configuring the WG connections from scratch (on second thought, I suspect that the issue was a conflict between the unbound running on OPNsense and the vpn provider's DNS).
I can't believe I spent so much time looking for a solution in all the wrong places..
Now I should test it with unbound running on OPNsense.
so...did it not work?
...which led you to try this instead?
you didn't