We are observing a strange case when our VPN client activates on macOS. It configures utun interface through DynamicStore API with fixed non-routable local IP 100.64.0.1. Problem is that this IP is getting registered with DNS server for this host name together with another, real local IP. So DNS query returns two addresses - one is good and another one is bad. This obviously creates a lot of problems. We did traffic capturing with tcpdump and it shows that nsupdate tool is indeed registering both IPs. This seems to be part of OpenDIrectory/Active Directory integration. Is there way to prevent this from happening? VPNs with local only non-routable IPs are very common and I don't understand logic why such IP would be picked for Dynamic DNS update.