I have finally determined the cause of the problem, and, it is potentially a big one.
Asus supplied me with a beta upgrade to try and fix the problem. It didn't. So, I did a factory reset and then slowly rebuilt my config by hand, and, at each stage, checked when and where the problem arose. The result was startling and alarming although it is likely to affect very few more advanced users.
Anyone using VPNs on Asus routers, check your configuration. If you specifically define the DNS IPs for use on incoming VPNS the router sets up DNS listening on the incoming WAN using your routers WAN DNS config, not on the incomingVPN connections themselves. This opens a massive security flaw in your security, and, specifically enhanced security that you have set up for yourself. Once this DNS port 53 listening on the incoming WAN is set up, there is no way of configuring it out short of a factory reset.
The only way of mitigating this without that reset on VM is to apply DNSSEC with validation on the VM DNS service. VM doesn't support DNSSEC - The router then doesn't serve any DNS requests although it is still listening and responding with Server Fail. My LAN uses different DNS but not all devices support that under DHCP setup. That is why I wanted DNS config for incoming VPN connections.
Asus have been advised but yet to respond.