diff --git a/nixos/modules/services/networking/nebula.nix b/nixos/modules/services/networking/nebula.nix
index 477731f3f5a49c..0c967af74f69a5 100644
--- a/nixos/modules/services/networking/nebula.nix
+++ b/nixos/modules/services/networking/nebula.nix
@@ -210,6 +210,11 @@ in
             ''
             settings
           );
+        capabilities = concatStringsSep " " ([
+          "CAP_NET_ADMIN"
+        ] ++ (optionals ((hasAttr "lighthouse.serve_dns" settings) && settings.lighthouse.serve_dns) [
+          "CAP_NET_BIND_SERVICE"
+        ]));
         in
         {
           # Create the systemd service for Nebula.
@@ -224,8 +229,8 @@ in
               Restart = "always";
               ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}";
               UMask = "0027";
-              CapabilityBoundingSet = "CAP_NET_ADMIN";
-              AmbientCapabilities = "CAP_NET_ADMIN";
+              CapabilityBoundingSet = capabilities;
+              AmbientCapabilities = capabilities;
               LockPersonality = true;
               NoNewPrivileges = true;
               PrivateDevices = false; # needs access to /dev/net/tun (below)