diff --git a/Dockerfile b/Dockerfile
index f5a784c9..4ddcf06f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
 FROM alpine:3.8
 LABEL maintainer="quentin.mcgaw@gmail.com" \
       description="VPN client to private internet access servers using OpenVPN, IPtables firewall, DNS over TLS with Unbound and Alpine Linux" \
-      download="???MB" \
+      download="6.6MB" \
       size="15.7MB" \
       ram="13MB" \
       cpu_usage="Low" \
@@ -29,5 +29,4 @@ RUN apk add -q --progress --no-cache --update openvpn ca-certificates iptables i
     addgroup -S nonrootusers && adduser -S nonrootuser -G nonrootusers
 COPY unbound.conf /etc/unbound/unbound.conf
 COPY entrypoint.sh /
-RUN chmod +x entrypoint.sh
 ENTRYPOINT /entrypoint.sh
\ No newline at end of file
diff --git a/README.md b/README.md
index 7602d519..6656f7d3 100644
--- a/README.md
+++ b/README.md
@@ -24,7 +24,7 @@ A killswitch is implemented with the *iptables* firewall, only allowing traffic
 
 | Download size | Image size | RAM usage | CPU usage |
 | --- | --- | --- | --- |
-| ???MB | 15.7MB | 14MB | Low |
+| 6.6MB | 15.7MB | 14MB | Low |
 
 ## Features
 
@@ -42,6 +42,8 @@ A killswitch is implemented with the *iptables* firewall, only allowing traffic
 - A Private Internet Access **username** and **password** - [Sign up](https://www.privateinternetaccess.com/pages/buy-vpn/)
 - [Docker](https://docs.docker.com/install/) installed on the host
 - If you use an advanced firewall:
+  - Allow outgoing TCP port 853 for Cloudflare DNS over TLS initial resolution of PIA server domain name.
+  - Allow outgoing TCP port 443 for querying duckduckgo to obtain the initial IP address for the healthcheck.
   - Allow outgoing TCP port 501 for TCP strong encryption
   - Allow outgoing TCP port 502 for TCP normal encryption
   - Allow outgoing UDP port 1197 for UDP strong encryption
diff --git a/entrypoint.sh b/entrypoint.sh
index fff58fb6..63056516 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -19,6 +19,17 @@ do
 done
 printf "\nTUN device is opened"
 
+############################################
+# SETTING DNS OVER TLS TO 1.1.1.1 / 1.0.0.1
+############################################
+printf "\nLaunching Unbound daemon to connect to Cloudflare DNS 1.1.1.1 at its TLS endpoint..."
+unbound
+printf "DONE"
+printf "\nChanging DNS to localhost..."
+echo "nameserver 127.0.0.1" > /etc/resolv.conf
+echo "options ndots:0" >> /etc/resolv.conf
+printf "DONE"
+
 ############################################
 # ORIGINAL IP FOR HEALTHCHECK
 ############################################
@@ -85,17 +96,6 @@ printf "DONE"
 #ip6tables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null
 #printf "DONE"
 
-############################################
-# SETTING DNS OVER TLS TO 1.1.1.1 / 1.0.0.1
-############################################
-printf "\nLaunching Unbound daemon to connect to Cloudflare DNS 1.1.1.1 at its TLS endpoint..."
-unbound
-printf "DONE"
-printf "\nChanging DNS to localhost..."
-echo "nameserver 127.0.0.1" > /etc/resolv.conf
-echo "options ndots:0" >> /etc/resolv.conf
-printf "DONE"
-
 ############################################
 # USE NON-ROOT USER
 ############################################