NETransparentProxyProvider can't process port 53 specifically for some reason (I don't see a technical reason it shouldn't), but it seems to work (i.e. catch UDP 53 traffic) when you don't specify a port: NENetworkRule(remoteNetwork: nil, remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol: .UDP, direction: .outbound) You can then ignore everything you are not interested in filtering: override func handleNewUDPFlow(_ flow: NEAppProxyUDPFlow, initialRemoteEndpoint: NWEndpoint) -> Bool {     if let endpoint = initialRemoteEndpoint as? NWHostEndpoint {         if endpoint.port == "53" { // Do the filtering } else { return false // Let OS handle it } } } Beware of this bug though. I'm not sure if it has been resolved yet.

Thank you for your responses (to all of my threads) Matt. Unfortunately this is not an option as it requires us to restart the VPN as a privileged user after every reboot and I'm not sure how the installation story look like. Besides this would probably be an undocumented/unsupported configuration. I have submitted Enhancement Requests 9657389, 9657399, and 9657405. I guess for the time being we should live with these issues while looking forward to a response with crossed fingers. Thanks again for your time.

For future reference, here is the reply from Apple to my enhancement request: Create a com.apple.vpn.managed profile payload with VPNSubType set to your app’s bundle identifier and ProviderType set to app-proxy in the VPN dictionary. Please see https://developer.apple.com/documentation/devicemanagement/vpn?language=objc for details.