diff --git a/CHANGELOG.md b/CHANGELOG.md
index 90e3acd..b66b047 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Broken DNS when no servers provided. [#84](https://github.com/keeshux/tunnelkit/issues/84)
 - UDP may disconnect on high-speed upload link. [#87](https://github.com/keeshux/tunnelkit/issues/87)
 - Client certificate may fail when private key in .ovpn is encrypted. [#91](https://github.com/keeshux/tunnelkit/issues/91)
+- DNS is unreachable when VPN is not default gateway. [#94](https://github.com/keeshux/tunnelkit/issues/94)
 
 ## 1.6.2 (2019-04-17)
 
diff --git a/TunnelKit/Sources/AppExtension/TunnelKitProvider.swift b/TunnelKit/Sources/AppExtension/TunnelKitProvider.swift
index 93bfcac..f0b6e39 100644
--- a/TunnelKit/Sources/AppExtension/TunnelKitProvider.swift
+++ b/TunnelKit/Sources/AppExtension/TunnelKitProvider.swift
@@ -537,6 +537,7 @@ extension TunnelKitProvider: SessionProxyDelegate {
         let routingPolicies = configuration.routingPolicies ?? reply.options.routingPolicies
         let isIPv4Gateway = routingPolicies?.contains(.IPv4) ?? false
         let isIPv6Gateway = routingPolicies?.contains(.IPv6) ?? false
+        let isGateway = isIPv4Gateway || isIPv6Gateway
 
         var ipv4Settings: NEIPv4Settings?
         if let ipv4 = reply.options.ipv4 {
@@ -592,7 +593,6 @@ extension TunnelKitProvider: SessionProxyDelegate {
             ipv6Settings?.excludedRoutes = []
         }
 
-        var dnsSettings: NEDNSSettings?
         var dnsServers = cfg.sessionConfiguration.dnsServers ?? reply.options.dnsServers ?? []
 
         // fall back
@@ -601,10 +601,16 @@ extension TunnelKitProvider: SessionProxyDelegate {
             dnsServers = fallbackDNSServers
         }
 
-        dnsSettings = NEDNSSettings(servers: dnsServers)
+        let dnsSettings = NEDNSSettings(servers: dnsServers)
+        if !isGateway {
+            dnsSettings.matchDomains = [""]
+        }
         if let searchDomain = cfg.sessionConfiguration.searchDomain ?? reply.options.searchDomain {
-            dnsSettings?.domainName = searchDomain
-            dnsSettings?.searchDomains = [searchDomain]
+            dnsSettings.domainName = searchDomain
+            dnsSettings.searchDomains = [searchDomain]
+            if !isGateway {
+                dnsSettings.matchDomains = dnsSettings.searchDomains
+            }
         }
         
         var proxySettings: NEProxySettings?