diff --git a/.gitignore b/.gitignore
index 870d7bb..c894fac 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
+.*.swp
 ip6t-firewall-vserver.conf
 ipt-firewall-vserver.conf
 BAK/*
diff --git a/ip6t-firewall-vserver b/ip6t-firewall-vserver
index 8a17767..2859060 100755
--- a/ip6t-firewall-vserver
+++ b/ip6t-firewall-vserver
@@ -583,17 +583,24 @@ done
 # - Make nameservers rechable for all
 # -
 for _ip in ${dns_server_ips[@]} ; do
+   # dns requests 
+   #
+   # Note:
+   #    If the total size of the DNS record is larger than 512 bytes, 
+   #    it will be sent over TCP, not UDP.
+   #
    $ip6t -A OUTPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
+   $ip6t -A OUTPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
    if containsElement "$_ip" ${lxc_ips_arr[@]} || $kernel_forward_between_interfaces ; then
       $ip6t -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
-      # Zonetransfer
       $ip6t -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
+      # Zonetransfer
       $ip6t -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
    fi
    if containsElement "$_ip" ${vserver_ips_arr[@]} ; then
       $ip6t -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
-      # Zonetransfer
       $ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
+      # Zonetransfer
       $ip6t -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
    fi
 done
@@ -601,6 +608,7 @@ done
 if $local_dns_service ; then
    for _ip in ${host_ips_arr[@]} ; do
       $ip6t -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
+      $ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
       # Zonetransfer
       $ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
       $ip6t -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
diff --git a/ipt-firewall-vserver b/ipt-firewall-vserver
index 76760f7..c1d45ea 100755
--- a/ipt-firewall-vserver
+++ b/ipt-firewall-vserver
@@ -760,17 +760,24 @@ done
 # - Make nameservers rechable for all
 # -
 for _ip in ${dns_server_ips[@]} ; do
+   # dns requests 
+   #
+   # Note:
+   #    If the total size of the DNS record is larger than 512 bytes, 
+   #    it will be sent over TCP, not UDP.
+   #
    $ipt -A OUTPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
+   $ipt -A OUTPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
    if containsElement "$_ip" ${lxc_ips_arr[@]} || $kernel_activate_forwarding ; then
       $ipt -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
-      # Zonetransfer
       $ipt -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
+      # Zonetransfer
       $ipt -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
    fi
    if containsElement "$_ip" ${vserver_ips_arr[@]} ; then
       $ipt -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
-      # Zonetransfer
       $ipt -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
+      # Zonetransfer
       $ipt -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
    fi
 done
@@ -778,8 +785,8 @@ done
 if $local_dns_service ; then
    for _ip in ${host_ips_arr[@]} ; do
       $ipt -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
-      # Zonetransfer
       $ipt -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
+      # Zonetransfer
       $ipt -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
    done
 fi