diff --git a/hosts/h001/mods/adguardhome.nix b/hosts/h001/mods/adguardhome.nix
index 314e469..6dcdddd 100644
--- a/hosts/h001/mods/adguardhome.nix
+++ b/hosts/h001/mods/adguardhome.nix
@@ -10,20 +10,22 @@
     };
 
     networking.firewall.allowedTCPPorts = [
-      53
-      67
-      68
-      5543
-      3000
+      53 # DNS
+      68 # DHCP
+      5543 # DNSCrypt
+      # 3000 # Initial installation
+      80 # admin panel
+      443 # admin panel
+      853 # DNS over tls
+      # 6060 # Debugging profile
     ];
     networking.firewall.allowedUDPPorts = [
-      53
-      67
-      68
-      784
-      853
-      8853
-      5443
+      53 # DNS
+      # 67 # DHCP
+      # 68 # DHCP
+      443 # Admin panel/https dns over https
+      853 # DNS over quic
+      5443 # DNSCrypt
     ];
   };
 }
diff --git a/hosts/h003/flake.nix b/hosts/h003/flake.nix
index 7dae316..03d7af8 100644
--- a/hosts/h003/flake.nix
+++ b/hosts/h003/flake.nix
@@ -29,7 +29,7 @@
               ros_neovim.nixosModules.default
               ./configuration.nix
               ./hardware-configuration.nix
-              ./networking.nix
+              ./mods
               (
                 { config, pkgs, ... }:
                 {
diff --git a/hosts/h003/mods/adguardhome.nix b/hosts/h003/mods/adguardhome.nix
new file mode 100644
index 0000000..c74e32d
--- /dev/null
+++ b/hosts/h003/mods/adguardhome.nix
@@ -0,0 +1,50 @@
+{
+  ...
+}:
+{
+  config = {
+    services.adguardhome = {
+      enable = true;
+      allowDHCP = true;
+      openFirewall = false;
+    };
+
+    networking.firewall.interfaces.vlan20.allowedTCPPorts = [
+      53 # DNS
+      68 # DHCP
+      5543 # DNSCrypt
+      3000 # Initial installation
+      80 # admin panel
+      443 # admin panel
+      853 # DNS over tls
+      # 6060 # Debugging profile
+    ];
+    networking.firewall.interfaces.vlan20.allowedUDPPorts = [
+      53 # DNS
+      # 67 # DHCP
+      # 68 # DHCP
+      443 # Admin panel/https dns over https
+      853 # DNS over quic
+      5443 # DNSCrypt
+    ];
+
+    networking.firewall.interfaces.vlan30.allowedTCPPorts = [
+      53 # DNS
+      68 # DHCP
+      5543 # DNSCrypt
+      3000 # Initial installation
+      80 # admin panel
+      443 # admin panel
+      853 # DNS over tls
+      # 6060 # Debugging profile
+    ];
+    networking.firewall.interfaces.vlan30.allowedUDPPorts = [
+      53 # DNS
+      # 67 # DHCP
+      # 68 # DHCP
+      443 # Admin panel/https dns over https
+      853 # DNS over quic
+      5443 # DNSCrypt
+    ];
+  };
+}
diff --git a/hosts/h003/mods/default.nix b/hosts/h003/mods/default.nix
new file mode 100644
index 0000000..25f72a0
--- /dev/null
+++ b/hosts/h003/mods/default.nix
@@ -0,0 +1,9 @@
+{
+  ...
+}:
+{
+  imports = [
+    ./networking.nix
+    ./adguardhome.nix
+  ];
+}
diff --git a/hosts/h003/networking.nix b/hosts/h003/mods/networking.nix
similarity index 97%
rename from hosts/h003/networking.nix
rename to hosts/h003/mods/networking.nix
index 5688493..4da990e 100644
--- a/hosts/h003/networking.nix
+++ b/hosts/h003/mods/networking.nix
@@ -179,6 +179,7 @@
         "vlan30"
       ];
       bind-interfaces = true;
+      port = 0; # DISABLE DNS we are using ad guard for that
 
       # DHCP range and settings
       dhcp-range = [
@@ -192,7 +193,8 @@
       dhcp-option = [
         "tag:mng,option:router,10.12.16.1"
         "tag:lan,option:router,10.12.14.1"
-        # "option:dns-server,10.12.14.1,1.1.1.1,8.8.8.8"
+        "tag:mng,option:dns-server,10.12.16.1"
+        "tag:lan,option:dns-server,10.12.14.1"
       ];
 
       # Static DHCP reservations