NENetworkRule with destination host not working

I created a NEAppProxyProvider with the following rule:

let settings = NETransparentProxyNetworkSettings(tunnelRemoteAddress: "127.0.0.1")
settings.includedNetworkRules = [
    NENetworkRule(destinationHost: NWHostEndpoint(hostname: "example.com", port: "443"), protocol: .TCP)
]

According to the documentation this should match all TCP port 443 traffic to hosts in the "example.com" domain.

But when I test this rule with a client app, I get a "No route to host error" and the handleNewFlow method is not called:

curl https://example.com -v
*   Trying 93.184.216.34:443...
* Immediate connect fail for 93.184.216.34: No route to host
* Closing connection 0
curl: (7) Couldn't connect to server

If I use a network rule with a destination network then it works as expected:

settings.includedNetworkRules = [
    NENetworkRule(destinationNetwork: NWHostEndpoint(hostname: "93.184.216.34", port: "443"), prefix: 32, protocol: .TCP)
]

Any idea what might be wrong with my domain based rule?

I would expect that something like the following work:

NENetworkRule(destinationHost: NWHostEndpoint(hostname: "example.com", port: "0"), protocol: .any)

As seen here in this table.. Do you see any other logs or DNS queries failing during the time you attempt to use this network rule?

NENetworkRule with destination host not working
 
 
Q