Well, I figured it out (and feel like I'm talking to myself in this thread...). The only issue was the the DNSMasq daemon wasn't set to listen on the L2TP tunnel, as I mentioned above. I looked around and found an old thread where UBNT-ancheng told the person how to make it listen by adding the router's IP as a listen address in the options:
set service dns forwarding option listen-address=192.168.4.1
Works fine now.