So when running the NordVPN app on the Mac, I assume it is using NordVPN's DNS, and bypassing the Pi-Hole, hence local DNS settings on the Pi-Hole are not working.
Unfortunately, there is no way to bypass or change any VPN DNS settings in the NordVPN Mac app. I am not able to run NordVPN on the router and prefer not running the VPN on the Pi-hole. (The Mac needs to be the only client/computer on the network using the VPN on the network.)
Yes, using the IP works in browser, terminal, etc. (IE ping 192.168.1.4, etc.)
However, I need DNS local host names (IE nas.lan, pc.lan, etc.) to work locally as well. On the Mac, the .local extension works in some cases, but it is very flakey, hence I need to make custom hostname entries work locally as well.
I've tried using the built-in DNS entries in Pi-hole, editing /etc/dnsmasq.d/ entries, etc. All these methods work if I disable the VPN on the Mac, but not with the VPN enabled.
Some NordVPN apps may allow you to provide a custom DNS (though that's really a question for NordVPN's support).
But even if it would be possible to provide Pi-hole's private IP address, I would recommend against it in your scenario, as a) you would lose DNS resolution when not connected to your home network and b) you'd leak DNS requests outside the tunnel, as Pi-hole's DNS requests won't pass through your Mac's VPN tunnel.
If accessing your local devices strictly by IP is possible, use those.
If your Mac is stationary within your network, you may try and manually add local hostname definitions to your Mac's hosts file for devices with fixed IPs. I believe that file resides at /private/etc/hosts in MacOS, but you want to check more reliable sources on that.
I wouldn't use this approach with a device like a laptop that joins other external networks, as this may result in unexpected behaviour and potentially leak sensitive data to machines that happen to live at IPs supplied in your hosts file.
Move the VPN from the Mac (client) to the Pi-Hole itself, so the Pi-Hole (and all it's DNS clients) don't suffer from "DNS Leaks"?
and/or
Move the DHCP from the router to the Pi-Hole itself? Would that alone be a workaround to this local DNS resolution problem?
Neither of those two solutions are preferable. The VPN is on the Mac (client) because that's the only device on the network that should be using the VPN, and the VPN needs to be disabled/enabled on the fly.
I am not looking to move DHCP from the router to Pi-Hole, since it took a while to get various DHCP settings working right, and I'm skeptical the old Pi model I'm using can handle DHCP in addition to ad-blocking.
Putting in local host rules on the Mac is a good idea, but unfortunately it is the other devices on the network that need to use local hostnames (rather than IP).
Most of those questions are related to your usage of a VPN service rather than Pi-hole (click for short notes).
A VPN gateway would be preferred if you aim to encrypt your entire outbound traffic, though co-locating the gateway with Pi-hole wouldn't automatically prevent DNS leaks. If possible, I'd prefer the router to act as VPN gateway.
Changing any local DHCP settings won't affect the DNS servers that your VPN service provider is forcing on your client's VPN tunnel..
You may want to consider other VPN service specific sources as well.
I don't see an issue then:
Other devices in your network not using a VPN connection will be able to resolve local hostnames through Pi-hole as usual.