diff --git a/kube/deploy/core/ingress/cloudflare/tunnel/netpol.yaml b/kube/deploy/core/ingress/cloudflare/tunnel/netpol.yaml
index 8b2fc8b8..d92914b5 100644
--- a/kube/deploy/core/ingress/cloudflare/tunnel/netpol.yaml
+++ b/kube/deploy/core/ingress/cloudflare/tunnel/netpol.yaml
@@ -26,6 +26,14 @@ spec:
               protocol: TCP
             - port: "443"
               protocol: UDP
+    # allow cloudflared to egress to pods that require ingress
+    - toEndpoints:
+        - matchExpressions:
+            - key: io.kubernetes.pod.namespace
+              operator: Exists
+            - key: ingress.home.arpa/cloudflare
+              operator: In
+              values: [allow]
     # Headscale
     - toEndpoints:
         - matchLabels:
@@ -57,17 +65,6 @@ spec:
         - ports:
             - port: "7844"
               protocol: UDP
-    # L7 DNS inspection & proxy
-    - toEndpoints:
-        - matchLabels:
-            io.kubernetes.pod.namespace: kube-system
-            k8s-app: kube-dns
-      toPorts:
-        - ports:
-            - port: "53"
-          rules:
-            dns:
-              - matchPattern: "*"
     # allow Flux notification-controller ingress
     - toEndpoints:
         - matchLabels:
@@ -90,8 +87,6 @@ spec:
         - ports:
             - port: "59292"
               protocol: TCP
-            - port: "80"
-              protocol: TCP
           rules:
             http:
               - {}