diff --git a/src/system/machines/server/system.nix b/src/system/machines/server/system.nix
index 761c826..91db296 100644
--- a/src/system/machines/server/system.nix
+++ b/src/system/machines/server/system.nix
@@ -120,6 +120,7 @@
     firewall = {
       enable = true;
       allowedTCPPorts = [ 22 ];
+      allowedUDPPorts = [ 53 67 ];  # DNS + DHCP
     };
   };
 
@@ -146,8 +147,6 @@
     };
   };
 
-  networking.firewall.allowedUDPPorts = [ 53 ];
-
   services.fail2ban = {
     enable = true;
     maxretry = 5;