How to setup Client VPN Endpoint to use AWS DNS?

I'm trying to allow VPN users to use Private Route53 DNS entries. Eg: a private hosted zone example.corp issuing DNS records on the local network.

At the moment I can't even find the right set of configurations to allow connected clients to use amazon's DNS at all.

Current (simplified) setup

The client VPN endpoint is allocated CIDR range 172.20.0.0/22. It has one configured target network association which has CIDR 172.20.254.0/24.

The target network is empty; meaning no EC2 instances live there etc.. However it does itself have onward routing rules to allow traffic to other networks. Access to those onward routes is controlled through "Authorization Rules". The route table has just one entry stating 172.20.0.0/16 (the whole VPC) is forwarded to the target network association.

The security group associated with the VPN is very permissive allowing anything on 172.20.0.0/16.

This configuration has worked without DNS for over a year. The only changes I'm now making are to enable DNS.

Changes - Attempting to enable DNS

This page tells me that the DNS should be available on the network range +2. I've tried setting the VPN DNS server to 172.20.0.2 and 172.20.254.0 (not at the same time). But neither respond to DNS request or ICMP ping.

In an attempt to get this working I have tried:

• Ensured that "DNS resolution" and "DNS hostnames" were both set on the VPC
• Adding Authorization Rules for both 172.20.254.0/24 and 172.20.0.2/22.
• Adding route table entry for 172.20.0.0/22 to local

How am I supposed to setup Client VPN Endpoint to use AWS DNS?