diff --git a/bin/srfirewall b/bin/srfirewall
index 8fbe195..a658dda 100755
--- a/bin/srfirewall
+++ b/bin/srfirewall
@@ -38,6 +38,12 @@ source "${FWCONFIGDIR}/chains.conf"
 source "${FWCONFIGDIR}/ipv4.conf"
 source "${FWCONFIGDIR}/ipv6.conf"
 
+# The local.conf file can be used to override any of the above files without having to worry
+# about changes being overwritten when upgrading.  Mostly useful for people who use a package
+# manager.
+[[ -e "{FWCONFIGDIR}/local.conf" ]] && source "{FWCONFIGDIR}/local.conf"
+
+
 # We require at least bash v3 or later at this point given some of the more complex
 # operations we do to make the firewall script work.
 if (( ${BASH_VERSINFO[0]} <= "2" )); then
diff --git a/lib/iptables.inc b/lib/iptables.inc
index db607d7..070ed95 100644
--- a/lib/iptables.inc
+++ b/lib/iptables.inc
@@ -232,12 +232,21 @@ function allow_dnsclient_manual {
 	esac
 	DNS_SERVERS="$2"
 	${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
+	use_conntrack="no"
+	([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
+	([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
 	for i in ${DNS_SERVERS}; do
-		${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${i} to DNS client trusted list"
-		${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
-		${VER_IPTABLES} -A ${InPreRules} -p udp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
-		${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
-		${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
+		if [[ ${use_conntrack} == "yes" ]]; then
+			${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${server} to conntrack list for DNS traffic"
+			${VER_IPTABLES} -A ${OutPreRules} -p udp -d ${i} --dport 53 ${M_STATE} ${C_STATE} NEW,ESTABLISHED -j ACCEPT
+			${VER_IPTABLES} -A ${InPreRules} -p udp -s ${i} --sport 53 ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
+		else
+			${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${i} to DNS client trusted list"
+			${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
+			${VER_IPTABLES} -A ${InPreRules} -p udp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
+			#${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
+			#${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
+		fi
 	done
 	${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
 }