Domain trust setup fails instantly

Question

We have 4 Active Directory Domain Controllers running on 2019 with 2016 functional level. Our sister company has 40+ Domain controllers. Each company has single forest, single domain. We have a site to site VPN between primary data centers. The sister company can route to all of our DCs, but we can only route to 4 of their DCs across that VPN due to IP conflicts and not wanting to do NAT for subnets we don't need access to. The firewall rules across this VPN is "allow all" in both directions for testing - we would lock it down as needed after things are running as expected.

DNS has been setup as a secondary zone and is working as expected.

When we do the New Trust Wizard it fails instantly saying "Cannot Continue The New Trust Wizard cannot continue because the specified domain cannot be contacted." There is no delay like a time out. I tried using a fake domain instead of the sister company's real domain and get the exact same result.

I have run wireshark during the process and I don't see any packets trying to leave our domain controller to any IP address on their side. I have turned off the windows firewall during testing with the same result. As such I don't think the wizard is actually trying to reach out - I'd expect a time out delay and unidirectional packets if it were.

NSLOOKUP and then domain.com shows their domain controllers as expected.

\domain.com prompts for user/pass as expected.

Trying to create the trust from our sister company to us has the exact same experience, including the same wireshark results.

We deleted the DNS zone, re-added it as a primary zone with only the Domain Controllers we can actually route to in the list and have the same result. We also created sites based on IP so that source IPs would be forced to those same routable DCs, but again same results.

I'm at a loss of what my next troubleshooting steps would be.