If a user enables wireguard for example on an android device, then specify a dns server IP address that is on the other side of the tunnel, the DNS traffic is routed over the tunnel, assuming the tunnel allows that traffic. As far as I understand it, on Android, as long as the layer 3 tunnel exists and has a route for the destination IP of the DNS server it will get tunneled.

I've confirmed this with query logs, however this does not mean it's making DNS requests for hidden things in the background outside the tunnel, but all user generated DNS requests go through the tunnel.