OK, so the MX is clearly using a source IP address for the lookup, from a VLAN that isn't currently permitted in the VPN; it's NATing to it's public IP and sending directly to the Internet (where it's blackholed).
Check that the destination IP address for the AD server lies within the VPN routing.
Assuming it already is, what I would do is allow all your VLANs access to the VPN, temporarily, then re-run the packet capture on the VPN interface, to check it's being sent via that path - you'll then also be able to see the source being used.
You can then remove the other VLANs from the VPN and, if you need to, write some VPN firewall rules to (just) allow your MX to query the AD server and no other comms with that VLAN, if you need to.