diff --git a/client/platforms/linux/daemon/linuxdaemon.cpp b/client/platforms/linux/daemon/linuxdaemon.cpp
index 7c2d95dba..0bd9c1580 100644
--- a/client/platforms/linux/daemon/linuxdaemon.cpp
+++ b/client/platforms/linux/daemon/linuxdaemon.cpp
@@ -15,6 +15,7 @@
 #include <QTextStream>
 #include <QtGlobal>
 
+#include "linuxfirewall.h"
 #include "leakdetector.h"
 #include "logger.h"
 
@@ -50,3 +51,17 @@ LinuxDaemon* LinuxDaemon::instance() {
     Q_ASSERT(s_daemon);
     return s_daemon;
 }
+
+bool LinuxDaemon::run(Op op, const InterfaceConfig& config) {
+    if (!config.m_killSwitchEnabled || !LinuxFirewall::isInstalled()) {
+        return true;
+    }
+
+    if (op == Up) {
+        LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("310.blockDNS"), true);
+    } else if (op == Down) {
+        LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("310.blockDNS"), false);
+    }
+
+    return true;
+}
diff --git a/client/platforms/linux/daemon/linuxdaemon.h b/client/platforms/linux/daemon/linuxdaemon.h
index dbac8cee6..4f4116399 100644
--- a/client/platforms/linux/daemon/linuxdaemon.h
+++ b/client/platforms/linux/daemon/linuxdaemon.h
@@ -21,6 +21,7 @@ class LinuxDaemon final : public Daemon {
   static LinuxDaemon* instance();
 
  protected:
+  bool run(Op op, const InterfaceConfig& config) override;
   WireguardUtils* wgutils() const override { return m_wgutils; }
   DnsUtils* dnsutils() override { return m_dnsutils; }
   bool supportIPUtils() const override { return true; }
diff --git a/client/platforms/linux/daemon/wireguardutilslinux.cpp b/client/platforms/linux/daemon/wireguardutilslinux.cpp
index 1b7cddc8e..0eb8a7857 100644
--- a/client/platforms/linux/daemon/wireguardutilslinux.cpp
+++ b/client/platforms/linux/daemon/wireguardutilslinux.cpp
@@ -479,7 +479,7 @@ void WireguardUtilsLinux::applyFirewallRules(FirewallParams& params)
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv6, QStringLiteral("250.blockIPv6"), true);
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("290.allowDHCP"), true);
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("300.allowLAN"), true);
-    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("310.blockDNS"), true);
+    LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("310.blockDNS"), false);
     LinuxFirewall::updateDNSServers(params.dnsServers);
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("320.allowDNS"), true);
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("400.allowPIA"), true);