DNS Forwarder Domain Override not working

roncbk

Using pfSense 2.4.5-RELEASE (amd64) built on Tue Mar 24 15:25:53 EDT 2020 FreeBSD 11.3-STABLE. pfSense is configured via DNS Forwarder in a Split DNS configuration, where hostnames that have a public IP resolve to the private IP if inside the firewall. I also have an IPSec tunnel between the office and Azure.

I want the VMs in Azure to resolve hosts on prem to the private IPs on prem, and on prem hosts to resolve the Azure internal domain name to Azure private IPs. I setup a DNS server on a VM (Windows Server 2016) in Azure which has as Forwarders my office pfSense DNS 192.168.111.254 and Microsoft's DNS 168.63.129.16. The VM's private IP is 10.10.1.5. From the VM, I can ping hosts on premise and get the private IPs. It also works pinging hosts in Azure with the internal domain name. And it can ping external hosts correctly also.

The problem is on prem. I setup a Domain Override in the DNS Forwarder with the following settings:

Domain: bpodgtu83bgee5acih3e7h1vwhh.dx.internal.cloudapp.net
IP Address: 10.10.1.5

I have tried both with and without a Source IP which I set to the public IP address of my side of the IPSec gateway. No joy! Pinging any host with that domain invariably returns "could not find host". No firewall rules are blocking - the IPSec tunnel is setup to allow all traffic both directions. Indeed, if I use nslookup with the server set to 10.10.1.5, it can resolve Azure hosts with the private domain name correctly. I have tried packet capture of UDP 53 on the IPSec tunnel - I see no activity, though I do see the other side querying pfSense when I ping from the VM. Not sure where to go from here.