diff --git a/calico/network-policy/get-started/kubernetes-default-deny.mdx b/calico/network-policy/get-started/kubernetes-default-deny.mdx
index fb497b96db..12eabf7100 100644
--- a/calico/network-policy/get-started/kubernetes-default-deny.mdx
+++ b/calico/network-policy/get-started/kubernetes-default-deny.mdx
@@ -95,6 +95,12 @@ spec:
       selector: 'k8s-app == "kube-dns"'
       ports:
       - 53
+  - action: Allow
+    protocol: TCP
+    destination:
+      selector: 'k8s-app == "kube-dns"'
+      ports:
+      - 53
 ```
 
 It is important to note the above policy deliberately excludes the `kube-system`, `calico-system` and `calico-apiserver` namespaces by using a negative `namespaceSelector` to avoid impacting any control plane components. To secure the control plane you can write specific policies for each control plane component, though you should do so with care, ideally at cluster creation time, since getting these wrong can leave your cluster in a broken state. We recommend you always make sure you have the correct {{prodname}} [failsafe ports](../../reference/felix/configuration.mdx) in place before you start trying to create policies for the control plane.