diff --git a/nix/nixos-module/container/dnscache.nix b/nix/nixos-module/container/dnscache.nix
index 9d8c076..75fdcdf 100644
--- a/nix/nixos-module/container/dnscache.nix
+++ b/nix/nixos-module/container/dnscache.nix
@@ -25,20 +25,36 @@ lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
 
         interface = [ "0.0.0.0" "'::0'" ];
         # TODO: generate
-        access-control = [
+        access-control = builtins.concatLists [
+          [ # localhost
+            "::1/128 allow"
+            "127.0.0.0/8 allow"
+          ]
+          [ # mgmt
+            "${config.site.net.mgmt.subnet4} allow"
+          ]
+          [ # dn42
           "fd23:42:c3d2:500::/56 allow"
-          "2a00:8180:2000:37::1/128 allow"
-          "2a00:8180:2c00:200::/56 allow"
           "::172.20.72.0/117 allow"
           "::172.22.99.0/120 allow"
-          "::1/128 allow"
           "172.20.72.0/21 allow"
-          "10.0.0.0/24 allow"
-          "10.200.0.0/15 allow"
           "172.22.99.0/24 allow"
-          "127.0.0.0/8 allow"
+          ]
+          [ # freifunk
+            "10.200.0.0/15 allow"
+          ]
+          [ # DSI
+          "2a00:8180:2000:37::1/128 allow"
+          "2a00:8180:2c00:200::/56 allow"
+          ]
+          [ # flpk
+            "${config.site.net.flpk.subnet4} allow"
+          ]
+          (map (s: "${s} allow") (builtins.attrValues config.site.net.flpk.subnets6))
+          [ # default
           "0.0.0.0/0 deny"
           "::/0 deny"
+          ]
         ];
         # For DNS over TLS
         tls-cert-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";