Have set up a gateway with an intercepting SOCKS 5 proxy that sends everything through Tor, including DNS. The following site says:

"This test attempts to resolve 100 randomly generated domain names asynchronously".

https://browserleaks.com/dns

Given this test for DNS leaks runs in the browser, how does it discover which DNS servers the 100 queries go to? Whatever is set as the DNS server in the network manager is irrelevant when all DNS traffic is intercepted. If you just type:

dig google.com

it does not tell you the DNS server really being used. How can the site's script tell?

They have their own dns server which tcpdump | grep's for your unique hostnames under it, and sees where it comes from. in most cases it'll be coming from google but it also may come from your ISP dnses if you use those.
If you use socks5 with hostnames resolved on the proxy side then it'll return whatever proxy uses as dns.

Could you explain how their DNS server can be involved when it is a browser script that does everything? One would expect the browser only uses the DNS server you specify in the network manager unless intercepted.

Tried that too by simply running the browser in the gateway and explicitly making it go through socks5 proxy, and it does return whatever DNS server the Tor exit node uses, but how does the site know, or how does the script know?

Because the website has their own domain, right? And no, not all domains are served by cloudflare in this world yet, you can actually do it yourself and simply log all requests to your DNS server to include source IPs of recursive resolvers that the socks server in question has in it's /etc/resolv.conf.