diff --git a/nameserver/config.go b/nameserver/config.go
new file mode 100644
index 00000000..12e7b546
--- /dev/null
+++ b/nameserver/config.go
@@ -0,0 +1,61 @@
+package nameserver
+
+import (
+	"flag"
+
+	"github.com/safing/portbase/config"
+	"github.com/safing/portbase/log"
+)
+
+// Config Keys
+const (
+	CfgDefaultNameserverAddressKey = "dns/listenAddress"
+)
+
+var (
+	nameserverAddressFlag   string
+	nameserverAddressConfig config.StringOption
+)
+
+func init() {
+	flag.StringVar(&nameserverAddressFlag, "nameserver-address", "", "override nameserver listen address")
+}
+
+func logFlagOverrides() {
+	if nameserverAddressFlag != "" {
+		log.Warning("nameserver: dns/listenAddress default config is being overridden by the -nameserver-address flag")
+	}
+}
+
+func getDefaultNameserverAddress() string {
+	// check if overridden
+	if nameserverAddressFlag != "" {
+		return nameserverAddressFlag
+	}
+	// return internal default
+	return defaultNameserverAddress
+}
+
+func registerConfig() error {
+	err := config.Register(&config.Option{
+		Name:            "Internal DNS Server Listen Address",
+		Key:             CfgDefaultNameserverAddressKey,
+		Description:     "Defines the IP address and port on which the internal DNS Server listens.",
+		OptType:         config.OptTypeString,
+		ExpertiseLevel:  config.ExpertiseLevelDeveloper,
+		ReleaseLevel:    config.ReleaseLevelStable,
+		DefaultValue:    getDefaultNameserverAddress(),
+		ValidationRegex: "^([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}:[0-9]{1,5}|\\[[:0-9A-Fa-f]+\\]:[0-9]{1,5})$",
+		RequiresRestart: true,
+		Annotations: config.Annotations{
+			config.DisplayOrderAnnotation: 514,
+			config.CategoryAnnotation:     "Development",
+		},
+	})
+	if err != nil {
+		return err
+	}
+	nameserverAddressConfig = config.GetAsString(CfgDefaultNameserverAddressKey, getDefaultNameserverAddress())
+
+	return nil
+}
diff --git a/nameserver/nameserver.go b/nameserver/nameserver.go
index 2e096ff7..ee902fc4 100644
--- a/nameserver/nameserver.go
+++ b/nameserver/nameserver.go
@@ -26,11 +26,11 @@ var (
 	module    *modules.Module
 	dnsServer *dns.Server
 
-	listenAddress = "0.0.0.0:53"
+	defaultNameserverAddress = "0.0.0.0:53"
 )
 
 func init() {
-	module = modules.Register("nameserver", nil, start, stop, "core", "resolver")
+	module = modules.Register("nameserver", prep, start, stop, "core", "resolver")
 	subsystems.Register(
 		"dns",
 		"Secure DNS",
@@ -41,8 +41,13 @@ func init() {
 	)
 }
 
+func prep() error {
+	return registerConfig()
+}
+
 func start() error {
-	dnsServer = &dns.Server{Addr: listenAddress, Net: "udp"}
+	logFlagOverrides()
+	dnsServer = &dns.Server{Addr: nameserverAddressConfig(), Net: "udp"}
 	dns.HandleFunc(".", handleRequestAsWorker)
 
 	module.StartServiceWorker("dns resolver", 0, func(ctx context.Context) error {