@MarcoCarandenteDCL I wish the modes of operation were documented better. I think you're misunderstanding how the tunnel works. If you operate in destination IP mode, then any packets with a destination IP covered by one of your tunnel's routes will appear to your packet tunnel provider, regardless of DNS settings. And that might be the default route (all packets which don't match a more specific route). If you add dns servers and set the matchDomains on the NEDNSSettings to include [""], which I guess means "match all", then your configured dns servers will be tried first, and the system-configured DNS failing that. The presumption here would be that your tunnel services a network that includes the configured DNS servers addresses. It is not against TN3120 for DNS to go over the tunnel. The expectation is that you just encapsulate those packets in your protocol and send them to the remote network(s) on the other end of the tunnel(s). I believe the spirit of what TN3120 is saying is that you shan't run a DNS proxy server locally in the packet tunnel provider. Should you wish to proxy DNS, thou shalt implement a DNSProxyProvider, (or a general [transparent] proxy provider on macOS) and perform any local proxying logic there. What the network dev tools you mention do, running a proxy in the packet tunnel provider, is technically possible, yes. It requires a userspace network stack, though. And it's not a setup or usage of the API that Apple can officially support, based on engineer comments on these forums. You are in "here be dragons" land and you can pretty easily mess up the network connectivity on the device, cause a really poor UX, and find yourself in edge cases that haven't been designed for. But where there's a will there's quite often a way (: If you're primarily targeting macOS, then check out the NETransparentProxyProvider. It is what mitmproxy (https://mitmproxy.org) uses to proxy all device traffic on macOS in as far as I can tell an Apple-supported/official way. Notably this is not supported on iOS and I have no idea if that is by design or not.