diff --git a/self-host/advanced/wild-card-domains.mdx b/self-host/advanced/wild-card-domains.mdx
index 5a5b3b4..0d0dd47 100644
--- a/self-host/advanced/wild-card-domains.mdx
+++ b/self-host/advanced/wild-card-domains.mdx
@@ -255,6 +255,12 @@ Traefik supports most DNS providers. You can find a full list of supported provi
   - Check API token permissions and scope
   - Ensure DNS propagation has completed
   - Review provider-specific configuration
+
+  <Info>
+  **Known issue with Netcup**: DNS-01 can fail on Netcup due to how their provider firewall handles UDP. DNS replies may be treated as inbound traffic **from source port `53`** and get dropped.
+
+  **Workaround**: Allow **ingress UDP** with **source port `53`** (to your server's UDP ports, or `ANY`). Repeat this for other UDP-based services if needed.
+  </Info>
 </Accordion>
 
 <Accordion title="Old certificates still being used">
@@ -262,4 +268,4 @@ Traefik supports most DNS providers. You can find a full list of supported provi
   
   **Solution**: Delete the `acme.json` file to force new certificate generation.
 </Accordion>
-</AccordionGroup>
\ No newline at end of file
+</AccordionGroup>