diff --git a/applications/dns.nix b/applications/dns.nix
index 0816434..9174ee7 100644
--- a/applications/dns.nix
+++ b/applications/dns.nix
@@ -196,6 +196,11 @@ let
   };
 
 in {
+
+  imports = [
+    ../applications/firewall.nix
+  ];
+
   options = {
     skynet_dns = {
       enable = lib.mkEnableOption {
@@ -212,7 +217,6 @@ in {
 
       own = {
         ip = lib.mkOption {
-          default = "ns1";
           type = lib.types.str;
           description = ''
             ip of this server
@@ -284,6 +288,12 @@ in {
 
   config = lib.mkIf cfg.enable {
 
+    # open the firewall for this
+    skynet_firewall.forward = [
+      "ip daddr ${cfg.own.ip} tcp dport 53 counter packets 0 bytes 0 accept"
+      "ip daddr ${cfg.own.ip} udp dport 53 counter packets 0 bytes 0 accept"
+    ];
+
     services.bind.zones =
       (create_entry_zone "csn.ul.ie" extraConfig.owned ) //
       (create_entry_zone "skynet.ie" extraConfig.owned )//
diff --git a/machines/vendetta.nix b/machines/vendetta.nix
index 5b597a9..42b4d8b 100644
--- a/machines/vendetta.nix
+++ b/machines/vendetta.nix
@@ -52,12 +52,6 @@ in {
     };
   };
 
-  # open the firewall for this
-  skynet_firewall.forward = [
-    "ip daddr ${ip_pub} tcp dport 53 counter packets 0 bytes 0 accept"
-    "ip daddr ${ip_pub} udp dport 53 counter packets 0 bytes 0 accept"
-  ];
-
   skynet_dns = {
     enable = true;
 
diff --git a/machines/vigil.nix b/machines/vigil.nix
index 593399e..69bda22 100644
--- a/machines/vigil.nix
+++ b/machines/vigil.nix
@@ -21,8 +21,6 @@ let
   ns = "ns2";
 in {
   imports = [
-    # applications for this particular server
-    ../applications/firewall.nix
     ../applications/dns.nix
   ];
 
@@ -34,12 +32,6 @@ in {
     tags = [ "active" "dns" ];
   };
 
-  # open the firewall for this
-  skynet_firewall.forward = [
-    "ip daddr ${ip_pub} tcp dport 53 counter packets 0 bytes 0 accept"
-    "ip daddr ${ip_pub} udp dport 53 counter packets 0 bytes 0 accept"
-  ];
-
   skynet_dns = {
     enable = true;