diff --git a/kube/clusters/biohazard/config/vars.sops.env b/kube/clusters/biohazard/config/vars.sops.env
index 8eb46d71..45b72dac 100644
--- a/kube/clusters/biohazard/config/vars.sops.env
+++ b/kube/clusters/biohazard/config/vars.sops.env
@@ -54,6 +54,7 @@ DNS_STREAM=ENC[AES256_GCM,data:IQKPb0HvNNCjH66+H56oybM4,iv:YcV2u1p3hLIcNGG/G3POu
 DNS_ME=ENC[AES256_GCM,data:mvkrtneuOQ==,iv:tXwnnd4pILQJZcu8S2U6iX4Tu34y7AVKdje98tBGzhc=,tag:VD0Ov9KL8j2RGBTGU0MFAg==,type:str]
 DNS_HOME=ENC[AES256_GCM,data://qMySXhwLc=,iv:FZ3g2rmlpTxRDxZp2K551Ar+m5XMExobObaM6uf9prw=,tag:/cY6U53sjCbaVwlE7A9A1g==,type:str]
 DNS_INTERNAL=ENC[AES256_GCM,data:IjMxQ4Ev7yk=,iv:nFKR0p8T1099khSAOWQBdfGU660n3vMSfhyET3mOdkY=,tag:G4nNPjJym7uT5E2A0y+l7Q==,type:str]
+DNS_FUNNY=ENC[AES256_GCM,data:XGYFv5xnZ6M=,iv:teiYncvQ44vTK+cYiJTSHSYQFv0JxXRs6qM+M9I/KXI=,tag:hykJg2uGKrX0VXxNeHuUXQ==,type:str]
 DNS_KAH=ENC[AES256_GCM,data:MUJI1U6bNmvzvAU=,iv:1eTSLdbbuMwx1YVo0STg8wL9lKy3OaR9KLMznw9LZFs=,tag:BYnkE2X/jKM5Fr/9/6GbfQ==,type:str]
 DNS_NAS=ENC[AES256_GCM,data:tXgzzi0q8Q/4GSL8oPpw3JzgobLF+Zhl/A==,iv:Qr+PpJwgzvSjo4dUA5lnszfwIkdnyT/Y+O7WP8vppls=,tag:eeht1Fj20CJHIWA4o2YW/g==,type:str]
 DNS_OLD_DOCKER=ENC[AES256_GCM,data:9nDHAHXCge/1+Ht8ufHWbqCoCC61,iv:8OsS2kwc+wM91JP2UGAOk9pIV1NMbJftivNRHpS7GMo=,tag:ahE6gj74E60iszNOGrqSzQ==,type:str]
@@ -189,12 +190,12 @@ CONFIG_OVENMEDIAENGINE_NAME=ENC[AES256_GCM,data:58CuH8bcUHWXBZA=,iv:BN7x6aAJPbzI
 CONFIG_THELOUNGE_USERNAME=ENC[AES256_GCM,data:+C2aABtqq8YG,iv:4DYpguAvmaqPedRgrflDlKfX5jJEhyWXKuRS+UVgHLo=,tag:vfJko+R2D8ct7KZC2Vnujw==,type:str]
 CONFIG_THELOUNGE_JOIN=ENC[AES256_GCM,data:ocuC,iv:9Cn9zp2+iIVrEXYxklEtkpftmJwTGsWnff2xIG9KNec=,tag:3UL9Gn+kHoXu+40CFkP7sg==,type:str]
 CONFIG_PSONO_TITLE=ENC[AES256_GCM,data:ORXmkTqtuka3l5M0pdu1NKxdX3Pes3xdEMw=,iv:Mbw/KUQJcIdYdcWby6qeCY4Q31Vc+dUOjLLprHL5P9E=,tag:HavoGugubPrunCoOkL40Mw==,type:str]
-sops_unencrypted_suffix=_unencrypted
-sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
-sops_pgp__list_0__map_created_at=2023-06-01T18:01:04Z
-sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
-sops_lastmodified=2023-11-27T07:34:03Z
-sops_version=3.7.3
-sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdAbA35718t0WVKrjQFYUPviCb0lVuh8NpfSdJCHjHcWWww\n8ak4q4VL69tZLSjQHx+VsMmKooknxWz6pw0lGxyDYlZMQ81bodInjaZGFZSz8Uuh\n0l4BhDCNDBBALTrnTliz6/DAHvmavI4UxMHost5alFio9JPkTDNmXZyvcy1/R6aw\n/uhQXLUBRvm0TSOhBZb7d0SLkLfe02Um40w1TibpKXsZz1GOMbPRNBMHHra0QIuQ\n=0jA+\n-----END PGP MESSAGE-----\n
-sops_mac=ENC[AES256_GCM,data:ygBi8sAig/BMiZ9cltdINFCUAEhxONcVjt7edw+tskjjeTXP1OJ1uxEqDPwIUt3c7xwjyRAgBLJcxTwARdav2cGKCZAdRBTbCL5plDHyzLNcCigm29l/ZgINx5IDX1Mx5i1oLFfx5683G8zJHMfgZzsVooqvZCWXYNU9EHwX2QY=,iv:sT4QZC6vCUI6ESncEBsA6bkgPW3NSY20ZRKRSzM/rAQ=,tag:87lBaKIto/wGmTBGfNX33g==,type:str]
 sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSXFvLzFQaFJ0OVJKUFV5\nTWh2OUltUlpJWFlVVytFYU9VajBHSnQ4SGdjCnRVbEVXdDVyUHJrR05Ba0xvUm1l\nTkt2YmNUZy90ZFA2b3QrODFKZ01EVG8KLS0tIEw2dkd1cnFCbnI5eWxKL2o1aDVB\nN0hveXZ2dWdxQ2k2L0pGR0ROMStVTmsK4dV/hNyDjsYnVUiFQ7kqdmcVHfYyVckz\nh/rwLjcZgsup72WDVP3v6Eul8B3LKFrSb8CDFA54tyQmSdFDCQC+Zg==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
+sops_lastmodified=2023-12-11T19:00:52Z
+sops_mac=ENC[AES256_GCM,data:LJ8vG4tuvjneyZuIDr+G2lhoaxWx/tWFv56SwCNuGaR8Fz4u13QGNYFGXC+oF6kcNk2jka/hxCKDD45dbpZ028PPaeKMzl/QAjh1NtQBBK69QMkBLCQB7cQST9CBJwqXe5iZtTuFn8QL8MfP9dZXIZA9I+iXs7n9dMx5VmKKYgA=,iv:AcOPrydJyni3QeZvPKBneszdnfpDqUJ6ZwI6Jvs6RP4=,tag:WZ2X6Z1AxXfiFZBOc5m0EA==,type:str]
+sops_pgp__list_0__map_created_at=2023-06-01T18:01:04Z
+sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdAbA35718t0WVKrjQFYUPviCb0lVuh8NpfSdJCHjHcWWww\n8ak4q4VL69tZLSjQHx+VsMmKooknxWz6pw0lGxyDYlZMQ81bodInjaZGFZSz8Uuh\n0l4BhDCNDBBALTrnTliz6/DAHvmavI4UxMHost5alFio9JPkTDNmXZyvcy1/R6aw\n/uhQXLUBRvm0TSOhBZb7d0SLkLfe02Um40w1TibpKXsZz1GOMbPRNBMHHra0QIuQ\n=0jA+\n-----END PGP MESSAGE-----\n
+sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.8.1
diff --git a/kube/deploy/core/dns/internal/k8s-gateway/app/hr.yaml b/kube/deploy/core/dns/internal/k8s-gateway/app/hr.yaml
index 094012a4..0aa1ae87 100644
--- a/kube/deploy/core/dns/internal/k8s-gateway/app/hr.yaml
+++ b/kube/deploy/core/dns/internal/k8s-gateway/app/hr.yaml
@@ -15,14 +15,13 @@ spec:
         namespace: flux-system
   values:
     fullnameOverride: k8s-gateway
-    domain: "${DNS_SHORT} ${DNS_MAIN} ${DNS_VPN} ${DNS_STREAM}"
+    domain: "${DNS_SHORT} ${DNS_MAIN} ${DNS_VPN} ${DNS_STREAM} ${DNS_ME} ${DNS_HOME} ${DNS_INTERNAL} ${DNS_FUNNY}"
     fallthrough:
       enabled: true
     ttl: 1
     service:
       type: LoadBalancer
       port: 53
-      externalTrafficPolicy: Cluster # Cilium DSR
       annotations:
         "io.cilium/lb-ipam-ips": "${APP_IP_K8S_GATEWAY}"
     extraZonePlugins:
@@ -36,14 +35,26 @@ spec:
       # Serves a /metrics endpoint on :9153, required for serviceMonitor
       - name: prometheus
         parameters: 0.0.0.0:9153
+      - &forward
+        name: forward
+        parameters: "${DNS_SHORT} ${UPSTREAM}"
+        configBlock: "policy sequential"
+      - <<: *forward
+        parameters: "${DNS_MAIN} ${UPSTREAM}"
+      - <<: *forward
+        parameters: "${DNS_VPN} ${UPSTREAM}"
+      - <<: *forward
+        parameters: "${DNS_STREAM} ${UPSTREAM}"
+      - <<: *forward
+        parameters: "${DNS_ME} ${UPSTREAM}"
+      - <<: *forward
+        parameters: "${DNS_HOME} ${UPSTREAM}"
+      - <<: *forward
+        parameters: "${DNS_INTERNAL} ${UPSTREAM}"
+      - <<: *forward
+        parameters: "${DNS_FUNNY} ${UPSTREAM}"
       - name: forward
-        parameters: ${DNS_SHORT} ${IP_ROUTER_VLAN_K8S} 1.0.0.1 1.0.0.2 1.0.0.3 1.1.1.1 1.1.1.2 1.1.1.3
-        configBlock: policy sequential
-      - name: forward
-        parameters: ${DNS_MAIN} ${IP_ROUTER_VLAN_K8S} 1.0.0.1 1.0.0.2 1.0.0.3 1.1.1.1 1.1.1.2 1.1.1.3
-        configBlock: policy sequential
-      - name: forward
-        parameters: . /etc/resolv.conf
+        parameters: ". /etc/resolv.conf"
       - name: loop
       - name: reload
       - name: loadbalance
diff --git a/kube/deploy/core/dns/internal/k8s-gateway/ks.yaml b/kube/deploy/core/dns/internal/k8s-gateway/ks.yaml
index 67fc52d5..24ec5105 100644
--- a/kube/deploy/core/dns/internal/k8s-gateway/ks.yaml
+++ b/kube/deploy/core/dns/internal/k8s-gateway/ks.yaml
@@ -6,4 +6,7 @@ metadata:
   namespace: flux-system
 spec:
   path: ./kube/deploy/core/dns/internal/k8s-gateway/app
-  dependsOn: []
\ No newline at end of file
+  dependsOn: []
+  postBuild:
+    substitute:
+      UPSTREAM: "${IP_ROUTER_VLAN_K8S} 1.0.0.1 1.0.0.2 1.0.0.3 1.1.1.1 1.1.1.2 1.1.1.3"
\ No newline at end of file