diff --git a/mastus/dns.nix b/mastus/dns.nix
index 945e642..19862b7 100644
--- a/mastus/dns.nix
+++ b/mastus/dns.nix
@@ -39,6 +39,7 @@ in
     zones = {
       "gebner.org." = {
         provideXFR = [ "0.0.0.0/0 NOKEY" "::0/0 NOKEY" ];
+        notify = [ "216.218.130.2 NOKEY" ];
         data = ''
           ${commonStuff "gebner.org"}
 
@@ -68,6 +69,7 @@ in
       };
       "gabrielebner.at." = {
         provideXFR = [ "0.0.0.0/0 NOKEY" "::0/0 NOKEY" ];
+        notify = [ "216.218.130.2 NOKEY" ];
         data = ''
           ${commonStuff "gabrielebner.at"}
 
@@ -79,6 +81,7 @@ in
       };
       "2b7e.org." = {
         provideXFR = [ "0.0.0.0/0 NOKEY" "::0/0 NOKEY" ];
+        notify = [ "216.218.130.2 NOKEY" ];
         data = ''
           ${commonStuff "2b7e.org"}
 
diff --git a/mastus/vmtest.nix b/mastus/vmtest.nix
index 4640706..dc4f6f3 100644
--- a/mastus/vmtest.nix
+++ b/mastus/vmtest.nix
@@ -25,6 +25,14 @@ let
 
     networking.extraHosts = ''
       127.0.0.1 gebner.org www.gebner.org reader.gebner.org git.gebner.org mail.gebner.org radicale.gebner.org
+
+      # disable letsencrypt
+      127.0.0.111 acme-v01.api.letsencrypt.org
+    '';
+
+    networking.firewall.extraCommands = ''
+      # disable HE dns notification
+      iptables -A OUTPUT -d 216.218.130.2 -j REJECT
     '';
   };