diff --git a/hosts/by-name/servo/services/ejabberd.nix b/hosts/by-name/servo/services/ejabberd.nix
index 444e6649..7917ee9e 100644
--- a/hosts/by-name/servo/services/ejabberd.nix
+++ b/hosts/by-name/servo/services/ejabberd.nix
@@ -51,52 +51,61 @@ lib.mkIf false
     {
       "3478" = {
         protocol = [ "tcp" "udp" ];
+        visibleTo.doof = true;
         visibleTo.lan = true;
         visibleTo.wan = true;
         description = "colin-xmpp-stun-turn";
       };
       "5222" = {
         protocol = [ "tcp" ];
+        visibleTo.doof = true;
         visibleTo.lan = true;
         visibleTo.wan = true;
         description = "colin-xmpp-client-to-server";
       };
       "5223" = {
         protocol = [ "tcp" ];
+        visibleTo.doof = true;
         visibleTo.lan = true;
         visibleTo.wan = true;
         description = "colin-xmpps-client-to-server";  # XMPP over TLS
       };
       "5269" = {
         protocol = [ "tcp" ];
+        visibleTo.doof = true;
         visibleTo.wan = true;
         description = "colin-xmpp-server-to-server";
       };
       "5270" = {
         protocol = [ "tcp" ];
+        visibleTo.doof = true;
         visibleTo.wan = true;
         description = "colin-xmpps-server-to-server";  # XMPP over TLS
       };
       "5280" = {
         protocol = [ "tcp" ];
+        visibleTo.doof = true;
         visibleTo.lan = true;
         visibleTo.wan = true;
         description = "colin-xmpp-bosh";
       };
       "5281" = {
         protocol = [ "tcp" ];
+        visibleTo.doof = true;
         visibleTo.lan = true;
         visibleTo.wan = true;
         description = "colin-xmpp-bosh-https";
       };
       "5349" = {
         protocol = [ "tcp" ];
+        visibleTo.doof = true;
         visibleTo.lan = true;
         visibleTo.wan = true;
         description = "colin-xmpp-stun-turn-over-tls";
       };
       "5443" = {
         protocol = [ "tcp" ];
+        visibleTo.doof = true;
         visibleTo.lan = true;
         visibleTo.wan = true;
         description = "colin-xmpp-web-services";  # file uploads, websockets, admin
@@ -109,6 +118,7 @@ lib.mkIf false
         numPorts = turnPortHigh - turnPortLow + 1;
       in {
         protocol = [ "tcp" "udp" ];
+        visibleTo.doof = true;
         visibleTo.lan = true;
         visibleTo.wan = true;
         description = "colin-xmpp-turn-${builtins.toString count}-of-${builtins.toString numPorts}";
diff --git a/hosts/by-name/servo/services/email/dovecot.nix b/hosts/by-name/servo/services/email/dovecot.nix
index 85c39b76..946988df 100644
--- a/hosts/by-name/servo/services/email/dovecot.nix
+++ b/hosts/by-name/servo/services/email/dovecot.nix
@@ -8,12 +8,14 @@
 {
   sane.ports.ports."143" = {
     protocol = [ "tcp" ];
+    visibleTo.doof = true;
     visibleTo.lan = true;
     visibleTo.wan = true;
     description = "colin-imap-imap.uninsane.org";
   };
   sane.ports.ports."993" = {
     protocol = [ "tcp" ];
+    visibleTo.doof = true;
     visibleTo.lan = true;
     visibleTo.wan = true;
     description = "colin-imaps-imap.uninsane.org";
diff --git a/hosts/by-name/servo/services/export/sftpgo/default.nix b/hosts/by-name/servo/services/export/sftpgo/default.nix
index 5dbb5022..7863b439 100644
--- a/hosts/by-name/servo/services/export/sftpgo/default.nix
+++ b/hosts/by-name/servo/services/export/sftpgo/default.nix
@@ -32,6 +32,7 @@ in
     };
     "990" = {
       protocol = [ "tcp" ];
+      visibleTo.doof = true;
       visibleTo.lan = true;
       visibleTo.wan = true;
       description = "colin-FTPS server";
@@ -41,6 +42,7 @@ in
       name = builtins.toString port;
       value = {
         protocol = [ "tcp" ];
+        visibleTo.doof = true;
         visibleTo.lan = true;
         visibleTo.wan = true;
         description = "colin-FTP server data port range";
diff --git a/hosts/by-name/servo/services/gitea.nix b/hosts/by-name/servo/services/gitea.nix
index 9baf14a8..32bf02d7 100644
--- a/hosts/by-name/servo/services/gitea.nix
+++ b/hosts/by-name/servo/services/gitea.nix
@@ -134,6 +134,7 @@
     protocol = [ "tcp" ];
     visibleTo.lan = true;
     visibleTo.wan = true;
+    visibleTo.doof = true;
     description = "colin-git@git.uninsane.org";
   };
 }
diff --git a/hosts/by-name/servo/services/ntfy/ntfy-waiter.nix b/hosts/by-name/servo/services/ntfy/ntfy-waiter.nix
index d7393bff..91d96bbb 100644
--- a/hosts/by-name/servo/services/ntfy/ntfy-waiter.nix
+++ b/hosts/by-name/servo/services/ntfy/ntfy-waiter.nix
@@ -62,6 +62,7 @@ in
     sane.ports.ports = lib.mkMerge (lib.forEach portRange (port: {
       "${builtins.toString port}" = {
         protocol = [ "tcp" ];
+        visibleTo.doof = true;
         visibleTo.lan = true;
         visibleTo.wan = true;
         description = "colin-notification-waiter-${builtins.toString (port - portLow + 1)}-of-${builtins.toString numPorts}";
diff --git a/hosts/by-name/servo/services/prosody/default.nix b/hosts/by-name/servo/services/prosody/default.nix
index 5efc126a..e9de376f 100644
--- a/hosts/by-name/servo/services/prosody/default.nix
+++ b/hosts/by-name/servo/services/prosody/default.nix
@@ -61,40 +61,47 @@ in
   ];
   sane.ports.ports."5000" = {
     protocol = [ "tcp" ];
+    visibleTo.doof = true;
     visibleTo.lan = true;
     visibleTo.wan = true;
     description = "colin-xmpp-prosody-fileshare-proxy65";
   };
   sane.ports.ports."5222" = {
     protocol = [ "tcp" ];
+    visibleTo.doof = true;
     visibleTo.lan = true;
     visibleTo.wan = true;
     description = "colin-xmpp-client-to-server";
   };
   sane.ports.ports."5223" = {
     protocol = [ "tcp" ];
+    visibleTo.doof = true;
     visibleTo.lan = true;
     visibleTo.wan = true;
     description = "colin-xmpps-client-to-server";  # XMPP over TLS
   };
   sane.ports.ports."5269" = {
     protocol = [ "tcp" ];
+    visibleTo.doof = true;
     visibleTo.wan = true;
     description = "colin-xmpp-server-to-server";
   };
   sane.ports.ports."5270" = {
     protocol = [ "tcp" ];
+    visibleTo.doof = true;
     visibleTo.wan = true;
     description = "colin-xmpps-server-to-server";  # XMPP over TLS
   };
   sane.ports.ports."5280" = {
     protocol = [ "tcp" ];
+    visibleTo.doof = true;
     visibleTo.lan = true;
     visibleTo.wan = true;
     description = "colin-xmpp-bosh";
   };
   sane.ports.ports."5281" = {
     protocol = [ "tcp" ];
+    visibleTo.doof = true;
     visibleTo.lan = true;
     visibleTo.wan = true;
     description = "colin-xmpp-prosody-https";  # necessary?
diff --git a/hosts/by-name/servo/services/trust-dns.nix b/hosts/by-name/servo/services/trust-dns.nix
index 2d007ffb..d8feae0f 100644
--- a/hosts/by-name/servo/services/trust-dns.nix
+++ b/hosts/by-name/servo/services/trust-dns.nix
@@ -103,6 +103,7 @@ in
     hn = {
       substitutions = mkSubstitutions "hn";
       listenAddrsIpv4 = [ nativeAddrs."servo.hn" ];
+      # TODO: no reason this can't live on port 53
       port = 1053;
     };
     lan = {
diff --git a/hosts/modules/wg-home.nix b/hosts/modules/wg-home.nix
index 98b5f3fa..75b7ca12 100644
--- a/hosts/modules/wg-home.nix
+++ b/hosts/modules/wg-home.nix
@@ -80,6 +80,7 @@ in
       protocol = [ "udp" ];
       visibleTo.lan = true;
       visibleTo.wan = cfg.visibleToWan;
+      visibleTo.doof = cfg.visibleToWan;
       description = "colin-wireguard";
     };