diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7e202b4e15..93b4ca76ae 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,6 +23,7 @@
 - Fix DI issue by binding to MAUI using lifecycle events ([#2006](https://github.com/getsentry/sentry-dotnet/pull/2006))
 - Unhide `SentryEvent.Exception` ([#2011](https://github.com/getsentry/sentry-dotnet/pull/2011))
 - Bump `Google.Cloud.Functions.Hosting` to version 1.1.0 ([#2015](https://github.com/getsentry/sentry-dotnet/pull/2015))
+- Fix default host issue for the Sentry Tunnel middleware ([#2019](https://github.com/getsentry/sentry-dotnet/pull/2019))
 
 ## 3.22.0
 
diff --git a/src/Sentry.AspNetCore/SentryTunnelMiddleware.cs b/src/Sentry.AspNetCore/SentryTunnelMiddleware.cs
index 829a803b17..2e7c63b855 100644
--- a/src/Sentry.AspNetCore/SentryTunnelMiddleware.cs
+++ b/src/Sentry.AspNetCore/SentryTunnelMiddleware.cs
@@ -22,7 +22,7 @@ public class SentryTunnelMiddleware : IMiddleware
     /// <seealso href="https://docs.sentry.io/platforms/javascript/troubleshooting/#dealing-with-ad-blockers"/>
     public SentryTunnelMiddleware(string[] allowedHosts)
     {
-        _allowedHosts = new[] { "sentry.io" }.Concat(allowedHosts).ToArray();
+        _allowedHosts = allowedHosts;
     }
 
     /// <inheritdoc />
@@ -77,7 +77,10 @@ public async Task InvokeAsync(HttpContext context, RequestDelegate next)
                 await response.WriteAsync("Invalid DSN JSON supplied").ConfigureAwait(false);
                 return;
             }
-            if (headerJson.TryGetValue("dsn", out var dsnString) && Uri.TryCreate(dsnString.ToString(), UriKind.Absolute, out var dsn) && _allowedHosts.Contains(dsn.Host))
+
+            if (headerJson.TryGetValue("dsn", out var dsnString) &&
+                Uri.TryCreate(dsnString.ToString(), UriKind.Absolute, out var dsn) &&
+                IsHostAllowed(dsn.Host))
             {
                 var projectId = dsn.AbsolutePath.Trim('/');
                 memoryStream.Position = 0;
@@ -110,4 +113,9 @@ public async Task InvokeAsync(HttpContext context, RequestDelegate next)
             await response.WriteAsync("Received empty body").ConfigureAwait(false);
         }
     }
+
+    private bool IsHostAllowed(string host) =>
+        host.EndsWith(".sentry.io", StringComparison.OrdinalIgnoreCase) ||
+        host.Equals("sentry.io", StringComparison.OrdinalIgnoreCase) ||
+        _allowedHosts.Contains(host, StringComparer.OrdinalIgnoreCase);
 }
diff --git a/src/Sentry.AspNetCore/SentryWebHostBuilderExtensions.cs b/src/Sentry.AspNetCore/SentryWebHostBuilderExtensions.cs
index f9c0cee4ee..03ec7f5067 100644
--- a/src/Sentry.AspNetCore/SentryWebHostBuilderExtensions.cs
+++ b/src/Sentry.AspNetCore/SentryWebHostBuilderExtensions.cs
@@ -110,8 +110,12 @@ public static IWebHostBuilder UseSentry(
     /// <summary>
     /// Adds and configures the Sentry tunneling middleware.
     /// </summary>
-    /// <param name="services"></param>
-    /// <param name="hostnames">The extra hostnames to be allowed for the tunneling. sentry.io is allowed by default; add your own Sentry domain if you use a self-hosted Sentry or Relay.</param>
+    /// <param name="services">The service collection</param>
+    /// <param name="hostnames">
+    /// The extra hostnames to be allowed for the tunneling.
+    /// Hosts ending in <c>.sentry.io</c> are always allowed, and do not need to be included in this list.
+    /// Add your own domain if you use a self-hosted Sentry or Relay.
+    /// </param>
     public static void AddSentryTunneling(this IServiceCollection services, params string[] hostnames) =>
         services.AddScoped(_ => new SentryTunnelMiddleware(hostnames));
 
diff --git a/test/Sentry.AspNetCore.Tests/Tunnel/IntegrationsTests.cs b/test/Sentry.AspNetCore.Tests/Tunnel/IntegrationsTests.cs
index 08c09859bb..9b1afcd1c3 100644
--- a/test/Sentry.AspNetCore.Tests/Tunnel/IntegrationsTests.cs
+++ b/test/Sentry.AspNetCore.Tests/Tunnel/IntegrationsTests.cs
@@ -28,13 +28,16 @@ public IntegrationsTests()
         _server = new TestServer(builder);
     }
 
-    [Fact]
-    public async Task TunnelMiddleware_CanForwardValidEnvelope()
+    [Theory]
+    [InlineData("sentry.io")]
+    [InlineData("ingest.sentry.io")]
+    [InlineData("o12345.ingest.sentry.io")]
+    public async Task TunnelMiddleware_CanForwardValidEnvelope(string host)
     {
         var requestMessage = new HttpRequestMessage(new HttpMethod("POST"), "/tunnel")
         {
             Content = new StringContent(
-            @"{""sent_at"":""2021-01-01T00:00:00.000Z"",""sdk"":{""name"":""sentry.javascript.browser"",""version"":""6.8.0""},""dsn"":""https://dns@sentry.io/1""}
+            @"{""sent_at"":""2021-01-01T00:00:00.000Z"",""sdk"":{""name"":""sentry.javascript.browser"",""version"":""6.8.0""},""dsn"":""https://dns@" + host + @"/1""}
 {""type"":""session""}
 {""sid"":""fda00e933162466c849962eaea0cfaff""}")
         };