diff --git a/files/etc/cron.hourly/check-supernodes b/files/etc/cron.hourly/check-supernodes
index 01cd2ed4..6ffe93e0 100755
--- a/files/etc/cron.hourly/check-supernodes
+++ b/files/etc/cron.hourly/check-supernodes
@@ -51,17 +51,28 @@ if c:get("aredn", "@supernode[0]", "support") == "0" then
 	os.exit(0)
 end
 
--- Find the first supernode to use as a nameserver
-local dns = ""
+-- Find the closest supernode to use as a nameserver
+local sn = {}
 for _, hna in ipairs(aredn.olsr.getOLSRHNA())
 do
 	if hna.genmask == 8 and hna.destination == "10.0.0.0" then
-		dns = "#" .. hna.gateway .. "\nserver=/local.mesh/" .. hna.gateway .. "\nrev-server=10.0.0.0/8," .. hna.gateway .. "\nrev-server=172.31.0.0/16," .. hna.gateway .. "\nrev-server=172.30.0.0/16," .. hna.gateway .. "\n"
+		sn[hna.gateway] = true
 		break
 	end
 end
+local best = { destination = nil, etx = 99999999 }
+for _, route in ipairs(aredn.olsr.getOLSRRoutes())
+do
+	if sn[route.destination] and route.etx < best.etx then
+		best = route
+	end
+end
+if not best.destination then
+	os.exit(0)
+end
 
--- Updae the dns and restart network if necessary
+-- Update the dns and restart network if necessary
+local dns = "#" .. best.destination .. "\nserver=/local.mesh/" .. best.destination .. "\nrev-server=10.0.0.0/8," ..best.destination .. "\nrev-server=172.31.0.0/16," .. best.destination .. "\nrev-server=172.30.0.0/16," .. best.destination .. "\n"
 local odns = ""
 local f = io.open(dns_file)
 if f then
diff --git a/files/etc/local/mesh-firewall/13-supernode-rules b/files/etc/local/mesh-firewall/13-supernode-rules
index 00e0a1cd..99449126 100755
--- a/files/etc/local/mesh-firewall/13-supernode-rules
+++ b/files/etc/local/mesh-firewall/13-supernode-rules
@@ -36,6 +36,8 @@ SUPERNODE_ENABLE=$(/sbin/uci -q get aredn.@supernode[0].enable)
 
 if [ "${SUPERNODE_ENABLE}" = "1" ]; then
     nft insert rule ip fw4 input_dtdlink udp dport 53 accept comment \"dns access\" 2> /dev/null
-    nft insert rule ip fw4 input_dtdlink tcp dport 53 accept comment \"dns access\" > /dev/null
+    nft insert rule ip fw4 input_dtdlink tcp dport 53 accept comment \"dns access\" 2> /dev/null
+    nft insert rule ip fw4 input_vpn udp dport 53 accept comment \"dns access\" 2> /dev/null
+    nft insert rule ip fw4 input_vpn tcp dport 53 accept comment \"dns access\" 2> /dev/null
     ip route add blackhole 10.0.0.0/8 table 30
 fi