VPN

How to force a rewrite of the main dns on all vpn clients to access the Internal AWS network?

Hello,

The question is extremely simple, trivial, practical, but for some reason the answer does not lie on the surface and so:

1) There is a private AWS network with the mysecretdns.com domain:
Private Route 53
Private VPC

2) There is a client who needs to get a CNAME record through dig mysecretdns.com.
Like this:
dig NS mysecretdns.com

3) There are 2 VPN servers with a public address and dnsmasq installed on it for forwarding to which the client is connected
On one OpenVPN
On the other WireGuard

4) The client's configs clearly state:
OpenVPN: dhcp-option DNS 192.250 .0.1
WireGuard: DNS=192.250.0.1

5) Forwarding works, all ips are resolved in one or the other case, but there is one "but":

The main DNS is not rewritten on the client, therefore, if you try to access private AWS DNS records with curl or firefox, a dumb client accesses the router, which is in the local network, and receives an error that such a DNS record does not exist.

How to teach him without having direct access to the client?
At home, I can simply rewrite resolv.conf and everything will work. But if I give the OpenVPN config, WireGuard, whatever for a client that has iOS / ubuntu / macos and needs to open an internal dns record, then I don’t have direct access to this client. Well, this is a trivial task, why there is not a single working example where access to the internal network and DNS is configured.