diff --git a/create_ap b/create_ap
index ff46e78..eee7a2f 100755
--- a/create_ap
+++ b/create_ap
@@ -740,8 +740,14 @@ _cleanup() {
     fi
 
     if [[ "$SHARE_METHOD" != "bridge" ]]; then
-        iptables -w -D INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-        iptables -w -D INPUT -p udp -m udp --dport 53 -j ACCEPT
+        if [[ $NO_DNS -eq 0 ]]; then
+            iptables -w -D INPUT -p tcp -m tcp --dport 5353 -j ACCEPT || die
+            iptables -w -D INPUT -p udp -m udp --dport 5353 -j ACCEPT || die
+            iptables -w -t nat -D PREROUTING -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} \
+                -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 5353 || die
+            iptables -w -t nat -D PREROUTING -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} \
+                -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353 || die
+        fi
         iptables -w -D INPUT -p udp -m udp --dport 67 -j ACCEPT
     fi
 
@@ -1708,9 +1714,13 @@ fi
 # start dhcp + dns (optional)
 if [[ "$SHARE_METHOD" != "bridge" ]]; then
     if [[ $NO_DNS -eq 0 ]]; then
-        DNS_PORT=53
+        DNS_PORT=5353
         iptables -w -I INPUT -p tcp -m tcp --dport $DNS_PORT -j ACCEPT || die
         iptables -w -I INPUT -p udp -m udp --dport $DNS_PORT -j ACCEPT || die
+        iptables -w -t nat -I PREROUTING -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} \
+            -p tcp -m tcp --dport 53 -j REDIRECT --to-ports $DNS_PORT || die
+        iptables -w -t nat -I PREROUTING -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} \
+            -p udp -m udp --dport 53 -j REDIRECT --to-ports $DNS_PORT || die
     else
         DNS_PORT=0
     fi