diff --git a/thelounge/networkpolicy.yaml b/thelounge/networkpolicy.yaml
index 30c5a90..461359e 100644
--- a/thelounge/networkpolicy.yaml
+++ b/thelounge/networkpolicy.yaml
@@ -11,21 +11,20 @@ spec:
     - Egress
 
   ingress:
+  ### Allow intra-namespace communication
     - from:
         - namespaceSelector:
             matchLabels:
               kubernetes.io/metadata.name: irc
+  ###
+  ### Allow traffic from gateways
     - from:
         - namespaceSelector:
             matchLabels:
               kubernetes.io/metadata.name: istio-system
-
+  ###
   egress:
-    - to:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: irc
-
+  ### Allow DNS resolution
     - to:
         - namespaceSelector:
             matchLabels:
@@ -38,11 +37,19 @@ spec:
           port: 53
         - protocol: TCP
           port: 53
-
+  ###
+  ### Allow intra-namespace communication
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: irc
+  ###
+  ### Allow outbound to the world
     - to:
         - ipBlock:
             cidr: 0.0.0.0/0
             except:
               - 10.0.0.0/8
               - 172.16.0.0/12
-              - 192.168.0.0/16
\ No newline at end of file
+              - 192.168.0.0/16
+  ###
\ No newline at end of file
diff --git a/znc/networkpolicy.yaml b/znc/networkpolicy.yaml
index c09cc71..d341ee5 100644
--- a/znc/networkpolicy.yaml
+++ b/znc/networkpolicy.yaml
@@ -11,27 +11,45 @@ spec:
     - Egress
 
   ingress:
+  ### Allow intra-namespace communication
     - from:
         - namespaceSelector:
             matchLabels:
               kubernetes.io/metadata.name: irc
+  ###
+  ### Allow traffic from gateways
     - from:
         - namespaceSelector:
             matchLabels:
               kubernetes.io/metadata.name: istio-system
-
+  ###
   egress:
-    # namespace-local
+  ### Allow DNS resolution
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - protocol: UDP
+          port: 53
+        - protocol: TCP
+          port: 53
+  ###
+  ### Allow intra-namespace communication
     - to:
         - namespaceSelector:
             matchLabels:
               kubernetes.io/metadata.name: irc
-
-    # public internet only
+  ###
+  ### Allow outbound to the world
     - to:
         - ipBlock:
             cidr: 0.0.0.0/0
             except:
               - 10.0.0.0/8
               - 172.16.0.0/12
-              - 192.168.0.0/16
\ No newline at end of file
+              - 192.168.0.0/16
+  ###
\ No newline at end of file