Hi Matt, Can do - what exactly do you mean by focussed sample ? Is there anything in particular you would like me to look at. I have tried the latest Beta (today) a d it is still happening. Essentially the behaviour seems to be the the Private Relay is capturing the DNS request for the initial ingress proxy for it's DNS request and sending that through to the NEDNSProxyProvider flow rather than the request itself, eg. standard DNS flow with request/response for pretty much any domain ... e.g. in the case below, notpurple.com -> WITH Private Relay enabled ... DNS Request [33 bytes] :  00000000 fe ff 01 00 00 01 00 00 00 00 00 00 04 6d 61 73 .............mas 00000010 6b 06 69 63 6c 6f 75 64 03 63 6f 6d 00 00 01 00 k.icloud.com.... 00000020 01                        .                        . DNS response : [183 bytes] :  00000000 3e f6 81 80 00 01 00 01 00 01 00 00 04 6d 61 73 >............mas 00000010 6b 06 69 63 6c 6f 75 64 03 63 6f 6d 00 00 41 00 k.icloud.com..A. 00000020 01 04 6d 61 73 6b 06 69 63 6c 6f 75 64 03 63 6f ..mask.icloud.co 00000030 6d 00 00 05 00 01 00 00 00 1e 00 14 04 6d 61 73 m............mas 00000040 6b 09 61 70 70 6c 65 2d 64 6e 73 03 6e 65 74 00 k.apple-dns.net. 00000050 04 6d 61 73 6b 09 61 70 70 6c 65 2d 64 6e 73 03 .mask.apple-dns. 00000060 6e 65 74 00 00 06 00 01 00 00 00 9a 00 49 07 6e net..........I.n 00000070 73 2d 31 34 36 32 09 61 77 73 64 6e 73 2d 35 34 s-1462.awsdns-54 00000080 03 6f 72 67 00 11 61 77 73 64 6e 73 2d 68 6f 73 .org..awsdns-hos 00000090 74 6d 61 73 74 65 72 06 61 6d 61 7a 6f 6e 03 63 tmaster.amazon.c 000000a0 6f 6d 00 00 00 00 01 00 00 1c 20 00 00 03 84 00 om........ ..... 000000b0 12 75 00 00 01 51 80               .u...Q. -> WITHOUT Private Relay enabled ... DNS Request [31 bytes] :  00000000 16 bb 01 00 00 01 00 00 00 00 00 00 09 6e 6f 74 .............not 00000010 70 75 72 70 6c 65 03 63 6f 6d 00 00 41 00 01   purple.com..A.. DNS response : [60 bytes] :  00000000 16 bb 81 00 00 01 00 01 00 00 00 00 09 6e 6f 74 .............not 00000010 70 75 72 70 6c 65 03 63 6f 6d 00 00 41 00 01 09 purple.com..A... 00000020 6e 6f 74 70 75 72 70 6c 65 03 63 6f 6d 00 00 01 notpurple.com... 00000030 00 01 00 00 00 1e 00 04 23 f4 79 44       ........#.yD I have covered all this in the original bug report but if there is something else you need please let me know, thanks. Nick

Hi Matt, I have submitted the Feedback as suggested and the ID for your reference is FB9511164. The fact that some filtering controls may be not supported is a little concerning, esp. when we are also leveraging the NEFilterControlProvider restrictions in our app. Thanks Nick

Hi Matt, If you can confirm that you have iCloud Private Relay enabled and DNS traffic is passing through iCloud Private Relay and then you enabled a NEDNSProxyProvider and no flows are handed off to your NEDNSProxyProvider then we should get this down as a bug report. Please respond back with a Feedback ID. What happens is, when the private relay is disabled, all works as per expected (that is, the DNS requests are forwarded to the upstream provider) and DNS responses are received for these hostnames. When private relay is enabled, the flows never get passed on to the filter via handleNewFlow. Upon re-toggling, (turning off private relay), the flows start coming through again. I am testing on iOS 15 Beta 5 (iPhone 11). To my this sounds like a bug - should I submit as per your initial recommendation - just wanted to clarify behaviour first Thanks Nick