Control over a clients DNS doesn’t let the VPN provider view the contents of TLS encrypted traffic. However they can view unencrypted data from connections like SNI headers, DNS queries etc.
The point here is that if you use someone else’s dns, they can redirect any domain to their server and sign the cert too since they also control the traffic.
You can’t serve a valid certificate chain to the client even if you control their traffic, because your malicious certificate isn’t signed by a trusted CA. And you can’t get a CA signature without demonstrating control of the domain to a CA.