diff --git a/roles/dnsmasq/tasks/main.yml b/roles/dnsmasq/tasks/main.yml
index 6cfcb84..81a8c66 100644
--- a/roles/dnsmasq/tasks/main.yml
+++ b/roles/dnsmasq/tasks/main.yml
@@ -38,10 +38,4 @@
   - 10-ranges.conf
   notify: restart dnsmasq
 
-- name: Configure nftables
-  template:
-    dest: '/etc/nftables.d/dnsmasq.nft'
-    src: 'dnsmasq.nft.j2'
-  notify: reload nftables
-
 # TODO netboot config
diff --git a/roles/dnsmasq/templates/00-options.conf.j2 b/roles/dnsmasq/templates/00-options.conf.j2
index 1c2c3ac..3e505e9 100644
--- a/roles/dnsmasq/templates/00-options.conf.j2
+++ b/roles/dnsmasq/templates/00-options.conf.j2
@@ -4,6 +4,10 @@ port = 0
 # we are the only DHCP server
 dhcp-authoritative
 
+# instruct clients to also send unicast traffic through the relay
+# prevents duplicate queries because ISC dhcrelay forwards everything anyway
+dhcp-proxy
+
 # don’t try to ping clients for duplicate IP check
 # has 3 s timeout during which no other requests are processed
 no-ping
diff --git a/roles/dnsmasq/templates/dnsmasq.nft.j2 b/roles/dnsmasq/templates/dnsmasq.nft.j2
deleted file mode 100644
index 36c2089..0000000
--- a/roles/dnsmasq/templates/dnsmasq.nft.j2
+++ /dev/null
@@ -1,12 +0,0 @@
-table inet filter {
-    chain input {
-        # networks using this DHCP server
-        ip saddr {
-{% for prefix in prefixes | selectattr('custom_fields.dhcp_server') | sort(attribute='vlan.name') %}
-{% if prefix.custom_fields.dhcp_server.address | ipaddr('address') == primary_ip4 %}
-            {{ prefix.prefix }}, # {{ prefix.vlan.name }}
-{% endif %}
-{% endfor %}
-        } udp dport { 67 } ct state new accept
-    }
-}