diff --git a/setup/start/cloudron-firewall.sh b/setup/start/cloudron-firewall.sh
index e20da97da..b065e5973 100755
--- a/setup/start/cloudron-firewall.sh
+++ b/setup/start/cloudron-firewall.sh
@@ -112,6 +112,7 @@ $ip6tables -t filter -A CLOUDRON -p ipv6-icmp -j ACCEPT
 ipxtables -t filter -A CLOUDRON -p udp --sport 53 -j ACCEPT
 # for ldap server (ipv4 only) to accept connections from apps. for connecting to addons and mail container ports, docker already has rules
 $iptables -t filter -A CLOUDRON -p tcp -s 172.18.0.0/16 -d 172.18.0.1 --dport 3002 -j ACCEPT
+$iptables -t filter -A CLOUDRON -p udp -s 172.18.0.0/16 --dport 53 -j ACCEPT # dns responses from docker (127.0.0.11)
 ipxtables -t filter -A CLOUDRON -i lo -j ACCEPT # required for localhost connections (mysql)
 
 # log dropped incoming. keep this at the end of all the rules