diff --git a/nftables-dns.conf b/nftables-ns1.conf
similarity index 100%
rename from nftables-dns.conf
rename to nftables-ns1.conf
diff --git a/nftables-ns2.conf b/nftables-ns2.conf
new file mode 100644
index 0000000..2d34932
--- /dev/null
+++ b/nftables-ns2.conf
@@ -0,0 +1,71 @@
+#!/usr/bin/nft -f
+
+flush ruleset
+
+table inet filter {
+    chain prerouting-raw {
+        type filter hook prerouting priority raw
+
+        iif lo notrack accept
+        udp dport 53 notrack accept
+        tcp dport {22, 53} notrack accept
+        meta l4proto {icmp, ipv6-icmp} notrack accept
+    }
+
+    chain output-raw {
+        type filter hook output priority raw
+
+        oif lo notrack accept
+        udp sport 53 notrack accept
+        tcp sport {22, 53} notrack accept
+        meta l4proto {icmp, ipv6-icmp} notrack accept
+    }
+
+    chain input {
+        type filter hook input priority filter
+        policy drop
+
+        iif lo accept
+        udp dport 53 ip daddr {{ipv4_address}} accept
+        udp dport 53 ip daddr 198.251.90.93 accept
+        udp dport 53 ip6 daddr {{ipv6_address}} accept
+        tcp dport {22, 53} ip daddr {{ipv4_address}} accept
+        tcp dport 53 ip daddr 198.251.90.93 accept
+        tcp dport {22, 53} ip6 daddr {{ipv6_address}} accept
+        meta l4proto {icmp, ipv6-icmp} accept
+
+        ct state vmap { invalid : drop, established : accept, related : accept }
+
+        meta l4proto udp reject
+        meta l4proto tcp reject with tcp reset
+        reject
+    }
+
+    chain forward {
+        type filter hook forward priority filter
+        policy drop
+    }
+
+    chain output {
+        type filter hook output priority filter
+
+        oif lo goto output-internal
+        skuid != {root, systemd-network, unbound, chrony, powerdns, geoipupdate} counter goto output-reject
+    }
+
+    chain output-internal {
+        skuid unbound meta l4proto {tcp, udp} th sport 53 th dport >= 1024 accept
+        skuid {chrony, geoipupdate} meta l4proto {tcp, udp} th sport >= 1024 th dport 53 accept
+
+        skuid powerdns meta l4proto tcp th sport 80 th dport >= 1024 accept
+
+        skuid != root counter goto output-reject
+        accept
+    }
+
+    chain output-reject {
+        meta l4proto udp reject
+        meta l4proto tcp reject with tcp reset
+        reject
+    }
+}