diff --git a/aws/aws-output.tf b/aws/aws-output.tf
index 0638c1d..42b13bf 100644
--- a/aws/aws-output.tf
+++ b/aws/aws-output.tf
@@ -7,7 +7,7 @@ output "pihole-web-msg" {
 }
 
 output "pihole-web-vpn-msg" {
-  value                   = "pihole webUI also available (when on Wireguard VPN) @ https://${var.docker_pihole}/admin/"
+  value                   = "pihole webUI also available (when on Wireguard VPN) @ https://${var.docker_webproxy}/admin/"
 }
 
 output "ph-wireguard-msg" {
diff --git a/azure/az-generic.tf b/azure/az-generic.tf
index 09872c7..d1711a3 100644
--- a/azure/az-generic.tf
+++ b/azure/az-generic.tf
@@ -73,6 +73,11 @@ variable "mgmt_cidr" {
   description              = "A subnet (in CIDR notation) granted SSH, WebUI, and (if dns_novpn = 1) DNS access to virtual machine instance. Deploying from home? This is your public ip with a /32, e.g. 1.2.3.4/32"
 }
 
+variable "client_cidrs" {
+  type                     = list
+  description              = "List of subnets (in CIDR notation) granted access to DNS without VPN"
+}
+
 variable "ph_password" {
   type                     = string
   description              = "Password for Pihole WebUI access"
diff --git a/azure/az-network.tf b/azure/az-network.tf
index b64c3fe..cf29e49 100644
--- a/azure/az-network.tf
+++ b/azure/az-network.tf
@@ -103,3 +103,33 @@ resource "azurerm_network_security_rule" "ph-net-rule-dnsudp" {
   source_address_prefix        = var.mgmt_cidr
   destination_address_prefixes = [var.az_subnet_cidr]
 }
+
+resource "azurerm_network_security_rule" "ph-net-rule-clients-dnstcp" {
+  count                        = length(var.client_cidrs) == 0 ? 0 : 1
+  name                         = "${var.ph_prefix}-net-rule-clients-dnstcp"
+  resource_group_name          = azurerm_resource_group.ph-resourcegroup.name
+  network_security_group_name  = azurerm_network_security_group.ph-net-sec.name
+  priority                     = 202
+  direction                    = "Inbound"
+  access                       = "Allow"
+  protocol                     = "Tcp"
+  source_port_range            = "*"
+  destination_port_range       = "53"
+  source_address_prefixes      = var.client_cidrs
+  destination_address_prefixes = [var.az_subnet_cidr]
+}
+
+resource "azurerm_network_security_rule" "ph-net-rule-clients-dnsudp" {
+  count                        = length(var.client_cidrs) == 0 ? 0 : 1
+  name                         = "${var.ph_prefix}-net-rule-clients-dnsudp"
+  resource_group_name          = azurerm_resource_group.ph-resourcegroup.name
+  network_security_group_name  = azurerm_network_security_group.ph-net-sec.name
+  priority                     = 203
+  direction                    = "Inbound"
+  access                       = "Allow"
+  protocol                     = "Udp"
+  source_port_range            = "*"
+  destination_port_range       = "53"
+  source_address_prefixes      = var.client_cidrs
+  destination_address_prefixes = [var.az_subnet_cidr]
+}
diff --git a/azure/az-output.tf b/azure/az-output.tf
index d78cbad..d351d59 100644
--- a/azure/az-output.tf
+++ b/azure/az-output.tf
@@ -7,7 +7,7 @@ output "wireguard-msg" {
 }
 
 output "pihole-web-vpn-msg" {
-  value                   = "pihole webUI also available (when on Wireguard VPN) @ https://${var.docker_pihole}/admin/"
+  value                   = "pihole webUI also available (when on Wireguard VPN) @ https://${var.docker_webproxy}/admin/"
 }
 
 output "pihole-web-msg" {
diff --git a/azure/az.tfvars b/azure/az.tfvars
index e7448db..6c87e9d 100644
--- a/azure/az.tfvars
+++ b/azure/az.tfvars
@@ -19,6 +19,10 @@ vpn_traffic = "dns"
 # a value of 1 permits mgmt_cidr access to DNS without the VPN
 dns_novpn = 1
 
+# additional client networks granted access pihole DNS without the VPN, example format:
+# client_cidrs = ["127.0.0.1/32","8.8.8.8/32"]
+client_cidrs = []
+
 ## UNCOMMON ##
 # An azure region (and zone), use the following command for a list of region names (use the varsfile value):
 # az account list-locations --query "[?metadata.regionType=='Physical'].{varsfile:displayName, cli:name}" --output table
diff --git a/gcp/gcp-generic.tf b/gcp/gcp-generic.tf
index 4047c56..27cced9 100644
--- a/gcp/gcp-generic.tf
+++ b/gcp/gcp-generic.tf
@@ -30,6 +30,11 @@ variable "mgmt_cidr" {
   description              = "The subnet in CIDR notation able to reach the instance via SSH, HTTPS, and (if dns_novpn = 1) DNS."
 }
 
+variable "client_cidrs" {
+  type                     = list
+  description              = "List of subnets (in CIDR notation) granted access to DNS without VPN"
+}
+
 variable "vpn_cidr" {
   type                     = string
   description              = "The subnet in CIDR notation able to reach the instance via Wireguard VPN."
diff --git a/gcp/gcp-network.tf b/gcp/gcp-network.tf
index 5ec2406..a43e232 100644
--- a/gcp/gcp-network.tf
+++ b/gcp/gcp-network.tf
@@ -59,3 +59,28 @@ resource "google_compute_firewall" "ph-firewall-mgmt-dnsudp" {
     ports                             = ["53"]
   }
 }
+
+# client_cidrs
+resource "google_compute_firewall" "ph-firewall-client-dnstcp" {
+  count                             = length(var.client_cidrs) == 0 ? 0 : 1
+  name                              = "${var.ph_prefix}-firewall-client-dnstcp"
+  project                           = google_project.ph-project.project_id
+  network                           = google_compute_network.ph-network.self_link
+  source_ranges                     = var.client_cidrs
+  allow {
+    protocol                          = "tcp"
+    ports                             = ["53"]
+  }
+}
+
+resource "google_compute_firewall" "ph-firewall-client-dnsudp" {
+  count                             = length(var.client_cidrs) == 0 ? 0 : 1
+  name                              = "${var.ph_prefix}-firewall-client-dnsudp"
+  project                           = google_project.ph-project.project_id
+  network                           = google_compute_network.ph-network.self_link
+  source_ranges                     = var.client_cidrs
+  allow {
+    protocol                          = "udp"
+    ports                             = ["53"]
+  }
+}
diff --git a/gcp/gcp-output.tf b/gcp/gcp-output.tf
index 4cc41ec..100bc44 100644
--- a/gcp/gcp-output.tf
+++ b/gcp/gcp-output.tf
@@ -3,7 +3,7 @@ output "pihole-web-msg" {
 }
 
 output "pihole-web-vpn-msg" {
-  value                             = "pihole webUI also available (when on Wireguard VPN) @ https://${var.docker_pihole}/admin/"
+  value                             = "pihole webUI also available (when on Wireguard VPN) @ https://${var.docker_webproxy}/admin/"
 }
 
 output "wireguard-msg" {
diff --git a/gcp/gcp.tfvars b/gcp/gcp.tfvars
index 8f152c6..d58e55e 100644
--- a/gcp/gcp.tfvars
+++ b/gcp/gcp.tfvars
@@ -22,6 +22,10 @@ vpn_traffic = "dns"
 # a value of 1 permits mgmt_cidr access to DNS without the VPN
 dns_novpn = 1
 
+# additional client networks granted access pihole DNS without the VPN, example format:
+# client_cidrs = ["127.0.0.1/32","8.8.8.8/32"]
+client_cidrs = []
+
 ## UNCOMMON ##
 gcp_region = "us-east1"
 gcp_zone = "b"
diff --git a/oci/oci-output.tf b/oci/oci-output.tf
index 6473bca..fc6495a 100644
--- a/oci/oci-output.tf
+++ b/oci/oci-output.tf
@@ -11,5 +11,5 @@ output "pihole-web-msg" {
 }
 
 output "pihole-web-vpn-msg" {
-  value                   = "pihole webUI also available (when on Wireguard VPN) @ https://${var.docker_pihole}/admin/" 
+  value                   = "pihole webUI also available (when on Wireguard VPN) @ https://${var.docker_webproxy}/admin/" 
 }