diff --git a/nix/configuration/configuration.nix b/nix/configuration/configuration.nix
index 0411076..3f7c5d5 100644
--- a/nix/configuration/configuration.nix
+++ b/nix/configuration/configuration.nix
@@ -9,6 +9,7 @@
       ./boot.nix
       ./zfs.nix
       ./network.nix
+      ./roles/firewall
       ./roles/graphics
       ./roles/sound
       ./roles/sway
@@ -88,6 +89,8 @@
     vulkan-tools # for vkcube TODO move to better role
     xorg.xeyes # to test which windows are using x11 TODO move to better role
     ripgrep
+    strace
+    tcpdump
   ];
 
   services.openssh = {
@@ -109,12 +112,6 @@
     ];
   };
 
-  # Open ports in the firewall.
-  networking.firewall.allowedTCPPorts = [ 22 ];
-  networking.firewall.allowedUDPPorts = [ ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
-
   # Check what will be lost with `zfs diff zroot/linux/root@blank`
   boot.initrd.systemd.enable = lib.mkDefault true;
   boot.initrd.systemd.services.zfs-rollback = {
diff --git a/nix/configuration/network.nix b/nix/configuration/network.nix
index fcb8e0d..0da0a7b 100644
--- a/nix/configuration/network.nix
+++ b/nix/configuration/network.nix
@@ -6,7 +6,7 @@
   networking.dhcpcd.enable = false;
   networking.useDHCP = false;
   # networking.nameservers = ["8.8.8.8" "8.8.4.4"];
-  networking.nameservers = [ "194.242.2.2#doh.mullvad.net" "[2a07:e340::2]#doh.mullvad.net" ];
+  networking.nameservers = [ "194.242.2.2#doh.mullvad.net" "2a07:e340::2#doh.mullvad.net" ];
   # networking.nameservers = [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ];
   services.resolved = {
     enable = true;
@@ -15,6 +15,13 @@
     fallbackDns = [ ];
     dnsovertls = "true";
   };
+
+
+  # Without this, systemd-resolved will send DNS requests for <X>.home.arpa to the per-link DNS server (172.16.0.1) which does not support DNS-over-TLS. This leads to the connection anging and timing out. This causes firefox startup to take an extra 10+ seconds.
+  #
+  # Test with: drill @127.0.0.53 odo.home.arpa
+  networking.extraHosts = "127.0.0.1 odo.home.arpa";
+
   networking.wireless.iwd = {
     enable = true;
 
@@ -29,5 +36,6 @@
   environment.systemPackages = with pkgs; [
     iw
     iwd
+    ldns # for drill
   ];
 }
diff --git a/nix/configuration/roles/firewall/default.nix b/nix/configuration/roles/firewall/default.nix
new file mode 100644
index 0000000..d5d22ea
--- /dev/null
+++ b/nix/configuration/roles/firewall/default.nix
@@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [];
+
+  # Open ports in the firewall.
+  networking.firewall.allowedTCPPorts = [
+    22 # ssh
+  ];
+  networking.firewall.allowedUDPPorts = [
+    5353 # mDNS
+  ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+}