You specify nameservers for the wireguard link, but you do not allow them in AllowedIPs.
If you watch the output of wg-quick, you will see that resolvconf is called with argument “-x”, which means that DNS gets preferred via the wg0 link. Which is not possible.
So ping 8.8.8.8 works, dig @8.8.8.8 works, bur resolvectl query domainname and all normal DNS queries do not work because systemd-resolved binds to wg0 to access 8.8.8.8. So if you wanr to access the nameservers via wireguard, add them to AllowedIP’s or remove the DNS statement and specify the nameservers in /etc/systemd/resolved.conf.
one question for education purposes @hmmsjan , why did it work previously though?
did something changed in the OS or it’s a bug that’s only just been fixed in the last update?
I do not know the exact version history, could be NetworkManager, systemd-resolved or wireguard. Key is “DNS Domain = ~.” in resolvectl, specifying a link for global DNS lookup. According to https://blogs.gnome.org/mcatanzaro/2020/12/17/understanding-systemd-resolved-split-dns-and-vpn-configuration/
there has been a change in NetworkManager preventing DNS leaks, so specifying not accessible nameservers for a VPN causes DNS to fail instead of falling back to the normal DNS servers. This should have been happening before.