ALB seems to not use a Private Hosted Zone for DNS - authenticate users using an Application Load Balancer

Overall Goal and issue:

• We want to authenticate users using an Application Load Balancer, following AWS documentation: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html
• Issue: The ALB seems to not use a Private Hosted Zone for DNS

Context:

• We have a multi-account strategy
• Important for the case is: there is a central Network Account, and a de-central Application Account
• In the central Network Account, we do have a Private Hosted zone to implement a split DNS for our PingFederate setup (you get Public IPs from Public Internet, and you get internal IPs via PHZ from AWS Landing Zone)
• The PHZ is shared with our de-central Application account

Detailed issue:

• We have EC2 and ALB in the same Application account, same VPC, same subnet
• EC2 and ALB resolve DNS requests differently:
• EC2 uses the centrally created and shared Private Hosted Zone
• ALB does *not * use the Private Hosted Zone

Error from logs: upstream timed out (110: Connection timed out) while connecting to upstream, client: 192.168.x.x, server: internal-alb-name-1111111111.eu-central-1.elb.amazonaws.com, request: "GET /oauth2/idpresponse?code=e8J8mvf2PBR2Q...%2BEyo1aL HTTP/2.0", subrequest: "/internal/oauth2/token", upstream: "https://18.111.222.33:443/as/token.oauth2 -> we would expect an internal IP / the DNS from PHZ here.

Main question:

• Why doesn't the ALB (with settings for OIDC authentication) use the centrally created and shared Private Hosted Zone? Why does it use the Public DNS? What are we missing? Happy for any guidance.