Both of my "Interfaces" settings in the resolver configuration are "All". My tunnel network is 10.56.235.0/24 and my resolver ACL has two networks in it, 192.168.10.0/24 and 10.56.235.0/24.
From the pfSense command line, I can successfully resolve:
> dig gateway @192.168.10.254
; <<>> DiG 9.10.4-P2 <<>> gateway @192.168.10.254
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52322
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;gateway. IN A
;; ANSWER SECTION:
gateway. 1 IN A 192.168.10.254
;; Query time: 0 msec
;; SERVER: 192.168.10.254#53(192.168.10.254)
;; WHEN: Wed Aug 03 14:19:33 MST 2016
;; MSG SIZE rcvd: 52
Doing the same from over the VPN, however, times out:
> dig gateway @192.168.10.254
; <<>> DiG 9.9.2-P2 <<>> gateway @192.168.10.254
;; global options: +cmd
;; connection timed out; no servers could be reached
I can query a different DNS server over the VPN, however:
> dig gateway @192.168.10.241
; <<>> DiG 9.9.2-P2 <<>> gateway @192.168.10.241
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58311
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;gateway. IN A
;; ANSWER SECTION:
gateway. 1 IN A 192.168.10.254
;; Query time: 56 msec
;; SERVER: 192.168.10.241#53(192.168.10.241)
;; WHEN: Wed Aug 03 13:36:41 2016
;; MSG SIZE rcvd: 52
I can see the states in the diagnostics/states page; the query that goes to .241 results in two states, one on the ovpns2 interface and one on the LAN. The query to .254 results only in the ovpns2 interface state.