diff --git a/controllers/config/dnsconfig/netmaker.hosts b/controllers/config/dnsconfig/netmaker.hosts
index 45eab425..655eaef6 100644
--- a/controllers/config/dnsconfig/netmaker.hosts
+++ b/controllers/config/dnsconfig/netmaker.hosts
@@ -1 +1,2 @@
-10.0.0.2         testnode.skynet myhost.skynet
+10.0.0.1         testnode.skynet
+10.0.0.2         myhost.skynet
diff --git a/controllers/node_test.go b/controllers/node_test.go
index 7104a65e..63f8a5ad 100644
--- a/controllers/node_test.go
+++ b/controllers/node_test.go
@@ -183,10 +183,26 @@ func TestNodeACLs(t *testing.T) {
 		assert.Nil(t, err)
 		assert.NotNil(t, node1ACL)
 		assert.NotNil(t, node2ACL)
-		currentACL, err := nodeacls.ChangeNodesAccess(nodeacls.NetworkID(node1.Network), nodeacls.NodeID(node1.ID), nodeacls.NodeID(node2.ID), acls.NotAllowed)
+		currentACL, err := nodeacls.DisallowNodes(nodeacls.NetworkID(node1.Network), nodeacls.NodeID(node1.ID), nodeacls.NodeID(node2.ID))
 		assert.Nil(t, err)
 		assert.Equal(t, acls.NotAllowed, currentACL[acls.AclID(node1.ID)][acls.AclID(node2.ID)])
 		assert.Equal(t, acls.NotAllowed, currentACL[acls.AclID(node2.ID)][acls.AclID(node1.ID)])
+		currentACL.Save(acls.ContainerID(node1.Network))
+	})
+	t.Run("node acls correct after add new node not allowed", func(t *testing.T) {
+		node3 := models.Node{PublicKey: "DM5qhLAE20FG7BbfBCger+Ac9D2NDOwCtY1rbYDXv24=", Name: "testnode3", Endpoint: "10.0.0.100", MacAddress: "01:02:03:04:05:07", Password: "password", Network: "skynet", OS: "linux"}
+		logic.CreateNode(&node3)
+		var currentACL, err = nodeacls.FetchAllACLs(nodeacls.NetworkID(node3.Network))
+		assert.Nil(t, err)
+		assert.NotNil(t, currentACL)
+		assert.Equal(t, acls.NotPresent, currentACL[acls.AclID(node1.ID)][acls.AclID(node3.ID)])
+		nodeACL, err := nodeacls.CreateNodeACL(nodeacls.NetworkID(node3.Network), nodeacls.NodeID(node3.ID), acls.NotAllowed)
+		assert.Nil(t, err)
+		nodeACL.Save(acls.ContainerID(node3.Network), acls.AclID(node3.ID))
+		currentACL, err = nodeacls.FetchAllACLs(nodeacls.NetworkID(node3.Network))
+		assert.Nil(t, err)
+		assert.Equal(t, acls.NotAllowed, currentACL[acls.AclID(node1.ID)][acls.AclID(node3.ID)])
+		assert.Equal(t, acls.NotAllowed, currentACL[acls.AclID(node2.ID)][acls.AclID(node3.ID)])
 	})
 	t.Run("node acls removed", func(t *testing.T) {
 		retNetworkACL, err := nodeacls.RemoveNodeACL(nodeacls.NetworkID(node1.Network), nodeacls.NodeID(node1.ID))
diff --git a/logic/acls/node-acls/modify.go b/logic/acls/node-acls/modify.go
index 847a285a..15448e9a 100644
--- a/logic/acls/node-acls/modify.go
+++ b/logic/acls/node-acls/modify.go
@@ -34,14 +34,26 @@ func CreateNodeACL(networkID NetworkID, nodeID NodeID, defaultVal byte) (acls.AC
 	return retNetworkACL[acls.AclID(nodeID)], nil
 }
 
-// ChangeNodesAccess - changes relationship between two individual nodes in given network in memory
-func ChangeNodesAccess(networkID NetworkID, node1, node2 NodeID, value byte) (acls.ACLContainer, error) {
-	var currentNetworkACL, err = FetchAllACLs(networkID)
+// AllowNode - allow access between two nodes in memory
+func AllowNodes(networkID NetworkID, node1, node2 NodeID) (acls.ACLContainer, error) {
+	container, err := FetchAllACLs(networkID)
 	if err != nil {
 		return nil, err
 	}
-	currentNetworkACL.ChangeAccess(acls.AclID(node1), acls.AclID(node2), value)
-	return currentNetworkACL, nil
+	container[acls.AclID(node1)].Allow(acls.AclID(node2))
+	container[acls.AclID(node2)].Allow(acls.AclID(node1))
+	return container, nil
+}
+
+// DisallowNodes - deny access between two nodes
+func DisallowNodes(networkID NetworkID, node1, node2 NodeID) (acls.ACLContainer, error) {
+	container, err := FetchAllACLs(networkID)
+	if err != nil {
+		return nil, err
+	}
+	container[acls.AclID(node1)].Disallow(acls.AclID(node2))
+	container[acls.AclID(node2)].Disallow(acls.AclID(node1))
+	return container, nil
 }
 
 // UpdateNodeACL - updates a node's ACL in state