diff --git a/daemon/firewall/rules.go b/daemon/firewall/rules.go
index ef4c8088..f58961aa 100644
--- a/daemon/firewall/rules.go
+++ b/daemon/firewall/rules.go
@@ -32,6 +32,27 @@ func RunRule(enable bool, rule []string) (err error) {
 
 // INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
 func QueueDNSResponses(enable bool, queueNum int) (err error) {
+	// If enable, we're going to insert as #1, not append
+	if enable {
+		// FIXME: this is basically copy/paste of RunRule() above b/c we can't
+		// shoehorn "-I" with the boolean 'enable' switch
+		rule := []string{
+			"-I",
+			"INPUT",
+			"1",
+			"--protocol", "udp",
+			"--sport", "53",
+			"-j", "NFQUEUE",
+			"--queue-num", fmt.Sprintf("%d", queueNum),
+			"--queue-bypass",
+		}
+		lock.Lock()
+		defer lock.Unlock()
+		_, err := core.Exec("iptables", rule)
+		return err
+	}
+
+	// Otherwise, it's going to be disable
 	return RunRule(enable, []string{
 		"INPUT",
 		"--protocol", "udp",