diff --git a/dns.go b/dns.go
index b135babf..c37f9770 100644
--- a/dns.go
+++ b/dns.go
@@ -50,7 +50,11 @@ func generateServerConfig() dnsforward.ServerConfig {
 		FilteringConfig: config.DNS.FilteringConfig,
 		Filters:         filters,
 	}
-	newconfig.ResolverAddress = fmt.Sprintf("%s:%d", config.DNS.BindHost, config.DNS.Port)
+	bindhost := config.DNS.BindHost
+	if config.DNS.BindHost == "0.0.0.0" {
+		bindhost = "127.0.0.1"
+	}
+	newconfig.ResolverAddress = fmt.Sprintf("%s:%d", bindhost, config.DNS.Port)
 
 	if config.TLS.Enabled {
 		newconfig.TLSConfig = config.TLS.TLSConfig
diff --git a/filter.go b/filter.go
index e6e43334..1a4671b2 100644
--- a/filter.go
+++ b/filter.go
@@ -178,6 +178,10 @@ func periodicallyRefreshFilters() {
 func refreshFiltersIfNecessary(force bool) int {
 	var updateFilters []filter
 
+	if config.firstRun {
+		return 0
+	}
+
 	config.RLock()
 	for i := range config.Filters {
 		f := &config.Filters[i] // otherwise we will be operating on a copy
diff --git a/helpers.go b/helpers.go
index e4bb0d10..33cf7a62 100644
--- a/helpers.go
+++ b/helpers.go
@@ -323,7 +323,11 @@ func customDialContext(ctx context.Context, network, addr string) (net.Conn, err
 		return con, err
 	}
 
-	resolverAddr := fmt.Sprintf("%s:%d", config.DNS.BindHost, config.DNS.Port)
+	bindhost := config.DNS.BindHost
+	if config.DNS.BindHost == "0.0.0.0" {
+		bindhost = "127.0.0.1"
+	}
+	resolverAddr := fmt.Sprintf("%s:%d", bindhost, config.DNS.Port)
 	r := upstream.NewResolver(resolverAddr, 30*time.Second)
 	addrs, e := r.LookupIPAddr(ctx, host)
 	log.Tracef("LookupIPAddr: %s: %v", host, addrs)