diff --git a/secrets/pihole.age b/secrets/pihole.age
index 40ec12d..0272910 100644
Binary files a/secrets/pihole.age and b/secrets/pihole.age differ
diff --git a/services/pihole.nix b/services/pihole.nix
index 0dc7625..10a7d74 100644
--- a/services/pihole.nix
+++ b/services/pihole.nix
@@ -16,12 +16,18 @@
           containerConfig = {
             image = "docker.io/pihole/pihole:2025.06.2";
             publishPorts =
-              [ "53:53/tcp" "53:53/udp" "80:80/tcp" "443:443/tcp" ];
+              [ "53:53/tcp" "53:53/udp" "80:80/tcp" "443:443/tcp" "67:67/udp" ];
             environmentFiles = [ config.age.secrets.pihole-credentials.path ];
+            volumes =
+              [ "/etc/pihole:/etc/pihole:Z" "/etc/dnsmasq:/etc/dnsmasq:Z" ];
+            addCapabilities = [ "NET_ADMIN" ];
             networks = [ "bridge" ];
           };
         };
       };
     };
   };
+  systemd.tmpfiles.rules =
+    [ "d /etc/pihole 0770 root root -" "d /etc/dnsmasq 0770 root root -" ];
+
 }