It works inside sys-vpn because it uses the /etc/resolv.conf file for its DNS requests, but when the requests come from other qubes they use the internal qubes DNS IPs (10.139.1.1 10.139.1.2) and this is managed by nftables.
What you need to do is to update the dnat-dns chain inside the qubes table so that the DNS requests are redirected to the correct DNS IP.
Since it updates the /etc/resolv.conf file, you should be able to adapt this script: