diff --git a/hosts/falkenstein/modules/dns/default.nix b/hosts/falkenstein/modules/dns/default.nix
index c94ca84..b6ac08f 100644
--- a/hosts/falkenstein/modules/dns/default.nix
+++ b/hosts/falkenstein/modules/dns/default.nix
@@ -6,7 +6,7 @@ let
     $ORIGIN rfive.de.
 
     rfive.de.   86400  IN  SOA ns.rfive.de. hostmaster.rfive.de. (
-      2024040103 ; serial
+      2024040800 ; serial
       10800      ; refresh
       3600       ; retry
       604800     ; expire
@@ -35,7 +35,7 @@ let
     mail AAAA 2a01:4f8:c012:49de::1
 
     @                 TXT "v=spf1 mx ~all"
-    rspamd._domainkey TXT "v=DKIM1; k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoirUMubro4nlmY6a8JMwK9QB2agAXiJzexDU/7ba6KCggONfoSTfUHlrM/XeM1GG/9oKpngApxDPP97adJuxc8/EELyo4HjTyYD8GBFZhg0AN7V8IPaJ1o5k6dGDk8ZLh41ZCnlAVWkhVSKs5pYtzkrlJIfUSzyuoe8nuFsVe3QIDAQAB"
+    rspamd._domainkey TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoirUMubro4nlmY6a8JMwK9QB2agAXiJzexDU/7ba6KCggONfoSTfUHlrM/XeM1GG/9oKpngApxDPP97adJuxc8/EELyo4HjTyYD8GBFZhg0AN7V8IPaJ1o5k6dGDk8ZLh41ZCnlAVWkhVSKs5pYtzkrlJIfUSzyuoe8nuFsVe3QIDAQAB"
     _dmarc            TXT "v=DMARC1; p=none; adkim=s; fo=1; rua=mailto:dmarc@rfive.de; ruf=mailto:dmarc@rfive.de"
 
     cache      CNAME nuc.rfive.de.
diff --git a/hosts/falkenstein/modules/networks/default.nix b/hosts/falkenstein/modules/networks/default.nix
index 163bf41..2efbd03 100644
--- a/hosts/falkenstein/modules/networks/default.nix
+++ b/hosts/falkenstein/modules/networks/default.nix
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 {
   age.secrets = {
     "wireguard/dorm/private" = {
@@ -11,6 +11,12 @@
     };
 
   };
+  environment.systemPackages = with pkgs; [
+    mtr
+    inetutils
+    dnsutils
+    wireguard-tools
+  ];
   networking = {
     hostName = "falkenstein";
     nftables.enable = true;
@@ -18,6 +24,7 @@
     useNetworkd = true;
     enableIPv6 = true;
     firewall = {
+      allowedUDPPorts = [ 51820 ];
       extraInputRules = ''
         ip saddr 192.168.0.0/16 tcp dport 19531 accept comment "Allow journald gateway access from local networks"
       '';
@@ -31,10 +38,6 @@
       "2620:fe::fe"
       "2620:fe::9"
     ];
-    extraConfig = ''
-      [Resolve]
-      DNSStubListener=no
-    '';
   };
   systemd.network = {
     enable = true;
@@ -86,8 +89,9 @@
       matchConfig.Name = "wg0";
       networkConfig = {
         Address = "192.168.43.4/32";
-        DNS = "192.168.42.1";
-        DNSSEC = true;
+        DNS = "192.168.43.1";
+        Domains = "~vpn.rfive.de ~43.168.192.in-addr.arpa";
+        DNSSEC = false;
         BindCarrier = [ "ens3" ];
       };
     };