It is common to have IPsec tunnels site-to-site in a multi-location business.
Symptom
For example, if we have these two sites, Site A and Site B
Site A LAN segment containing AD is reachable from Site B LAN segment.
Site B Internet connectivity (DNS) is functional
Site A Internet connectivity (DNS) is functional
Site B Endpoints cannot resolve any AD DNS that is forwarded to Site A
Site B pfSense® gateway is unable to reach the AD Controller in Site A
Solution
Static Route Workaround
Follow the direction here to configure a static route for the firewall. This has to be done on both sides. https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/access-firewall-over-ipsec.html#static-route-workaround
VTI Tunnels
Ensure that the firewall on each end allows DNS traffic from the VTI subnet.
The muscle will use the default interface for the route to make the forwarding rule queries.