I have configured IPSec VPN tunnels between our main office and 5 branch offices on MikroTik CCR1009-7G-1C-1S+ devices. In main site we have Windows Server Active Directory domain controller which is also configured as DNS server for branch offices. All branches should use DNS from main office as primary server. Communication from/to main office and branch office is established, ICMP ping is working on both sides, we can open SMB shares located in main site, move files from branch to main office and back. The only problem are DNS requests. All requests from branch office (any branch office) are timed out, clients in branch offices are not seeing DNS server from main office at all. What can be the problem?