DoH for all domains except some specific ones

I have a VPN configuration that starts a PacketTunnelProvider extension. In there I set the DoH server url and start / stop everything pretty straight forward.

I want to exclude certain domains, such as e.g. "google.com" or "apple-dns.net" to lower my traffic on the DoH server.

I tried a couple of variations of onDemand rules yet they all don't work for me. Is there a way how I can only route DNS requests towards my DoH server for all domains except custom defined domains?

Examples I've tried thus far

I spare the boilerplate code for creating the NETunnelProviderManager before and setting the rules + isOnDemandEnabled flag for the following examples except the first one:

1

// create the NETunnelProviderManager
let evaluationRule = NEOnDemandRuleEvaluateConnection()

let ignoreDomainRule = NEEvaluateConnectionRule(matchDomains: ["apple.com"], andAction: neverConnect)

evaluationRule.connectionRules = [ignoreDomainRule]
manager.onDemandRules = evaluationRule
manager.isOnDemandEnabled = true

2

let ignoreDomainRule = NEEvaluateConnectionRule(matchDomains: ["apple.com"], andAction: neverConnect)

[ignoreDomainRule, NEOnDemandRuleConnect()]

3

let ignoreDomainRule = NEEvaluateConnectionRule(matchDomains: ["apple.com"], andAction: connectIfNeeded)
ignoreDomainRule.useDNSServers = ["8.8.8.8"]

[ignoreDomainRule, NEOnDemandRuleConnect()]
// or [ignoreDomainRule]

4

let disconnectRule = NEOnDemandRuleDisconnect()
disconnectRule.dnsSearchDomainMatch = ["apple.com"]

[disconnectRule, NEOnDemandRuleConnect()]

5

let evaluationRule = NEOnDemandRuleEvaluateConnection()

let ignoreDomainRule = NEEvaluateConnectionRule(matchDomains: ["apple.com"], andAction: neverConnect)

let connectRule = NEEvaluateConnectionRule(matchDomains: [""], andAction: connectIfNeeded)

evaluationRule.connectionRules = [connectRule]