From 4ac01fecf948ea4070aa953f710ab123ac01f3ca Mon Sep 17 00:00:00 2001
From: Laurence <laurence.jones@live.co.uk>
Date: Wed, 18 Feb 2026 07:48:26 +0000
Subject: [PATCH 1/2] enhance: clarify Netcup DNS-01 UDP firewall workaround

---
 self-host/advanced/wild-card-domains.mdx | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/self-host/advanced/wild-card-domains.mdx b/self-host/advanced/wild-card-domains.mdx
index 5a5b3b4..0d0dd47 100644
--- a/self-host/advanced/wild-card-domains.mdx
+++ b/self-host/advanced/wild-card-domains.mdx
@@ -255,6 +255,12 @@ Traefik supports most DNS providers. You can find a full list of supported provi
   - Check API token permissions and scope
   - Ensure DNS propagation has completed
   - Review provider-specific configuration
+
+  <Info>
+  **Known issue with Netcup**: DNS-01 can fail on Netcup due to how their provider firewall handles UDP. DNS replies may be treated as inbound traffic **from source port `53`** and get dropped.
+
+  **Workaround**: Allow **ingress UDP** with **source port `53`** (to your server's UDP ports, or `ANY`). Repeat this for other UDP-based services if needed.
+  </Info>
 </Accordion>
 
 <Accordion title="Old certificates still being used">
@@ -262,4 +268,4 @@ Traefik supports most DNS providers. You can find a full list of supported provi
   
   **Solution**: Delete the `acme.json` file to force new certificate generation.
 </Accordion>
-</AccordionGroup>
\ No newline at end of file
+</AccordionGroup>

From fae58ba9fb0fc856c18b598f531101887f2ef757 Mon Sep 17 00:00:00 2001
From: Laurence <laurence.jones@live.co.uk>
Date: Wed, 18 Feb 2026 07:56:13 +0000
Subject: [PATCH 2/2] reword it to be generic instead of focusing on netcup

---
 self-host/advanced/wild-card-domains.mdx | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/self-host/advanced/wild-card-domains.mdx b/self-host/advanced/wild-card-domains.mdx
index 0d0dd47..a3db599 100644
--- a/self-host/advanced/wild-card-domains.mdx
+++ b/self-host/advanced/wild-card-domains.mdx
@@ -255,12 +255,8 @@ Traefik supports most DNS providers. You can find a full list of supported provi
   - Check API token permissions and scope
   - Ensure DNS propagation has completed
   - Review provider-specific configuration
+  - If your DNS provider has a firewall in place, ensure it allows incoming DNS traffic (typically UDP on port **53**). Adding an ingress rule to permit such traffic may help resolve the issue, especially if the firewall is stateless.
 
-  <Info>
-  **Known issue with Netcup**: DNS-01 can fail on Netcup due to how their provider firewall handles UDP. DNS replies may be treated as inbound traffic **from source port `53`** and get dropped.
-
-  **Workaround**: Allow **ingress UDP** with **source port `53`** (to your server's UDP ports, or `ANY`). Repeat this for other UDP-based services if needed.
-  </Info>
 </Accordion>
 
 <Accordion title="Old certificates still being used">