diff --git a/global/overlay/etc/puppet/modules/dns/manifests/knotdns.pp b/global/overlay/etc/puppet/modules/dns/manifests/knotdns.pp
index 5e451b3..e5059e2 100644
--- a/global/overlay/etc/puppet/modules/dns/manifests/knotdns.pp
+++ b/global/overlay/etc/puppet/modules/dns/manifests/knotdns.pp
@@ -91,4 +91,12 @@ class dns::knotdns(
        owner   => 'knot_rest',
        group   => 'knot_rest',
     }
+
+    # NFT rules
+    sunet::nftables::rule { 'dns-udp':
+       rule => "add rule inet filter input udp dport 53 counter accept comment \"allow-dns-udp\""
+    }
+    sunet::nftables::rule { 'dns-tcp':
+       rule => "add rule inet filter input tcp dport 53 counter accept comment \"allow-dns-tcp\""
+    }
 }