diff --git a/Docker/entrypoint.sh b/Docker/entrypoint.sh
index f8f12ae..a5dc304 100644
--- a/Docker/entrypoint.sh
+++ b/Docker/entrypoint.sh
@@ -72,9 +72,11 @@ setup_killswitch() {
     iptables -A INPUT  -i "$INTERFACE" -j ACCEPT
     iptables -A OUTPUT -o "$INTERFACE" -j ACCEPT
 
-    # Allow DNS to the VPN DNS server (through wg0)
-    iptables -A OUTPUT -o "$INTERFACE" -p udp --dport 53 -j ACCEPT
-    iptables -A OUTPUT -o "$INTERFACE" -p tcp --dport 53 -j ACCEPT
+    # Allow DNS (VPN DNS servers are routed through wg0; allow before routing decision)
+    iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+    iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
+    iptables -A INPUT  -p udp --sport 53 -j ACCEPT
+    iptables -A INPUT  -p tcp --sport 53 -j ACCEPT
 
     # Allow DHCP (for container networking)
     iptables -A OUTPUT -p udp --dport 67:68 -j ACCEPT
diff --git a/Docker/podman-compose.yml b/Docker/podman-compose.yml
index 8ee5520..a19703b 100644
--- a/Docker/podman-compose.yml
+++ b/Docker/podman-compose.yml
@@ -7,6 +7,7 @@ services:
     cap_add:
       - NET_ADMIN
       - SYS_MODULE
+      - NET_RAW
     sysctls:
       - net.ipv4.ip_forward=1
       - net.ipv4.conf.all.src_valid_mark=1