Thanks for the response. By 'upstream' I mean the public DNS resolver we forward queries to (e.g. Cloudflare 1.1.1.1). I'm aware of NEDNSProxyProvider, but per Apple's own documentation it requires supervised devices (iOS 11–15) or managed devices (iOS 16+), making it unavailable for consumer App Store distribution. NEPacketTunnelProvider is the only viable option for our use case. The specific issue: when the public DNS resolver returns a large response (~893 bytes for CERT records), injecting it via writePacketObjects() results in mDNSResponder receiving the packet but not delivering the record to the application. Responses under 512 bytes work correctly. Is there a supported way to deliver DNS responses larger than 512 bytes through NEPacketTunnelFlow?"

Konstantin were you able to solve this and get your API protected?