diff --git a/cmd/policygen/generator.go b/cmd/policygen/generator.go
index b2e169c..76fd082 100644
--- a/cmd/policygen/generator.go
+++ b/cmd/policygen/generator.go
@@ -13,11 +13,13 @@ type Generator interface {
 type ApplicationPeer struct {
 	Application *Application
 	Ports       []Port
+	Rule        string
 }
 
 type NetworkPeer struct {
 	Network *Network
 	Ports   []Port
+	Rule    string
 }
 
 type Peer struct {
@@ -103,6 +105,7 @@ func Generate(writer io.Writer, generator Generator, config *Config) error {
 						appPeer = &ApplicationPeer{
 							Application: appTo,
 							Ports:       ports,
+							Rule:        "to",
 						}
 					} else if networkTo != nil {
 						if len(ports) == 0 {
@@ -111,6 +114,7 @@ func Generate(writer io.Writer, generator Generator, config *Config) error {
 						networkPeer = &NetworkPeer{
 							Network: networkTo,
 							Ports:   ports,
+							Rule:    "to",
 						}
 					}
 
@@ -129,6 +133,7 @@ func Generate(writer io.Writer, generator Generator, config *Config) error {
 						appPeer = &ApplicationPeer{
 							Application: appFrom,
 							Ports:       ports,
+							Rule:        "from",
 						}
 					} else if networkFrom != nil {
 						if len(ports) == 0 {
@@ -137,6 +142,7 @@ func Generate(writer io.Writer, generator Generator, config *Config) error {
 						networkPeer = &NetworkPeer{
 							Network: networkFrom,
 							Ports:   ports,
+							Rule:    "from",
 						}
 					}
 
diff --git a/cmd/policygen/main.go b/cmd/policygen/main.go
index a5daa59..4aa8548 100644
--- a/cmd/policygen/main.go
+++ b/cmd/policygen/main.go
@@ -25,11 +25,10 @@ func execute(files []string, options *Options) error {
 			return err
 		}
 		config.Update(configNew)
-		err = config.Validate()
-		if err != nil {
-			return fmt.Errorf("Error loading config %s: %w", file, err)
-		}
-		log.Printf("Namespaces %v", config.Namespaces)
+	}
+	err := config.Validate()
+	if err != nil {
+		return fmt.Errorf("Error loading configuration: %w", err)
 	}
 
 	policyTemplates, err := NewPolicyTemplates()
diff --git a/cmd/policygen/templates.go b/cmd/policygen/templates.go
index 80edbab..8357d87 100644
--- a/cmd/policygen/templates.go
+++ b/cmd/policygen/templates.go
@@ -3,6 +3,7 @@ package main
 import (
 	"fmt"
 	"io/fs"
+	"log"
 	"os"
 	"strings"
 	"text/template"
@@ -108,7 +109,10 @@ func (t *PolicyTemplates) NamespaceTemplates(policyType string, capabilities []s
 	for _, capability := range capabilities {
 		tmpl := t.templates.Lookup(fmt.Sprintf("templates/%s/namespace/%s.yaml", policyType, capability))
 		if tmpl != nil {
+			log.Printf("Found template for capability '%s'", capability)
 			res = append(res, tmpl)
+		} else {
+			log.Printf("Capability '%s' not found", capability)
 		}
 	}
 	return res
diff --git a/cmd/policygen/templates/netpol/namespace/dns.yaml b/cmd/policygen/templates/netpol/namespace/dns.yaml
new file mode 100644
index 0000000..ffda57e
--- /dev/null
+++ b/cmd/policygen/templates/netpol/namespace/dns.yaml
@@ -0,0 +1,19 @@
+{{- if not .Open }}
+
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-dns-in-namespace
+  namespace: {{ .Name }}
+spec:
+  podSelector: {}
+  policyTypes:
+    - Egress
+  egress:
+    - ports:
+        - port: 53
+          protocol: TCP
+        - port: 53
+          protocol: UDP
+{{- end }}
\ No newline at end of file
diff --git a/cmd/policygen/templates/netpol/pod/pod.yaml b/cmd/policygen/templates/netpol/pod/pod.yaml
index a160208..0a89051 100644
--- a/cmd/policygen/templates/netpol/pod/pod.yaml
+++ b/cmd/policygen/templates/netpol/pod/pod.yaml
@@ -8,9 +8,10 @@
 {{- end }}
 {{- define "peers" }}
       {{- range .Applications }}
+  - {{.Rule}}:
       # {{ .Application.Namespace.Name }}/{{ .Application.Name }}
       - podSelector:
-          matchLabels: {{ .Application.MatchLabels | toYaml | nindent 12 }}
+          matchLabels: {{ .Application.MatchLabels | toJson }}
         namespaceSelector:
           matchLabels:
             kubernetes.io/metadata.name: {{ .Application.Namespace.Name }}
@@ -22,6 +23,7 @@
 {{- end }}
 {{- define "networks" }}
       {{- range .Networks }}
+  - {{.Rule}}:
       # {{ .Network.Name }}
       - ipBlock:
           cidr: {{ .Network.CIDR}}
@@ -46,7 +48,8 @@ metadata:
   labels: {{ .labels | toYaml | nindent 4 }}
 spec:
   # {{ .app.Namespace.Name }}/{{ .app.Name }}
-  podSelector: {{ .app.MatchLabels | toYaml | nindent 4 }}
+  podSelector:
+    matchLabels: {{ .app.MatchLabels | toJson }}
   policyTypes:
     {{- if or .ingress.Applications .ingress.Networks }}
     - Ingress
@@ -57,14 +60,12 @@ spec:
 
   {{- if or .ingress.Applications .ingress.Networks }}
   ingress:
-    from:
       {{- template "peers" .ingress }}
       {{- template "networks" .ingress }}
   {{- end }}
 
   {{- if or .egress.Applications .egress.Networks }}
   egress:
-    to:
       {{- template "peers" .egress }}
       {{- template "networks" .egress }}
   {{- end }}
diff --git a/example/config.yaml b/example/config.yaml
index 20a3c68..450fc97 100644
--- a/example/config.yaml
+++ b/example/config.yaml
@@ -16,7 +16,8 @@ namespaces:
   - name: wamblee-org
     #open: true
     capabilities:
-      - linkerd
+      - linkerdd
+      - dns
     applications:
       - name: nexus-server
         # ports when specified at the application level are used when