diff --git a/nftables/nftables-ns2.conf b/nftables/nftables-ns2.conf
index 558c1ea..828b35f 100644
--- a/nftables/nftables-ns2.conf
+++ b/nftables/nftables-ns2.conf
@@ -44,11 +44,11 @@ table inet filter {
         # ordered after accepting loopback to permit using external IPs via loopback
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
+        udp dport 53 notrack accept
+
         # reject SSH packets via anycast IP
         tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
 
-        udp dport 53 notrack accept
-
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
         tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept