diff --git a/machines/vendetta.nix b/machines/vendetta.nix
index a5c0472..877f2b7 100644
--- a/machines/vendetta.nix
+++ b/machines/vendetta.nix
@@ -25,6 +25,7 @@ let
 in {
   imports = [
     # applications for this particular server
+    ../applications/firewall.nix
     ../applications/dns.nix
   ];
 
@@ -41,6 +42,12 @@ in {
     };
   };
 
+  # open the firewall for this
+  skynet_firewall.forward = [
+    "ip saddr ${ip_pub} tcp dport 53 counter packets 0 bytes 0 accept"
+    "ip saddr ${ip_pub} udp dport 53 counter packets 0 bytes 0 accept"
+  ];
+
   skynet_dns = {
     enable = true;
 
diff --git a/machines/vigil.nix b/machines/vigil.nix
index 0145ea6..cf0806a 100644
--- a/machines/vigil.nix
+++ b/machines/vigil.nix
@@ -24,6 +24,7 @@ let
 in {
   imports = [
     # applications for this particular server
+    ../applications/firewall.nix
     ../applications/dns.nix
   ];
 
@@ -40,6 +41,12 @@ in {
     };
   };
 
+  # open the firewall for this
+  skynet_firewall.forward = [
+    "ip saddr ${ip_pub} tcp dport 53 counter packets 0 bytes 0 accept"
+    "ip saddr ${ip_pub} udp dport 53 counter packets 0 bytes 0 accept"
+  ];
+
   skynet_dns = {
     enable = true;