So I've configured a site-to-site VPN between our Azure instance and our local LAN, via our Sophos (Astaro AG) UTM-9 gateway. The VPN tunnel seems to be working fine, and I have a default allow rule on our VPNs currently for testing. This is the first evaluated rule, so all traffic is passed, unaltered by the firewall.
We have configured the Azure machines to use our local (on-premises) DNS server, which is configured correctly with root hints, so it can resolve the internet in general.
However, our DNS server does not know about our Azure VMs. Attempting to resolve the names of our Azure VMs fails, whether bare (ping vmname) or with the local suffix (ping vmname.localdomain.local).
Any ideas on what to look into? The VM logs aren't very informative, and nslookup on the VMs show it querying our DNS server successfully, they can resolve local names and internet names, but not Azure device names.