diff --git a/tools/deployment/developer/common/170-setup-gateway.sh b/tools/deployment/developer/common/170-setup-gateway.sh
index fb8307d346..0948ca348d 100755
--- a/tools/deployment/developer/common/170-setup-gateway.sh
+++ b/tools/deployment/developer/common/170-setup-gateway.sh
@@ -29,3 +29,19 @@ sudo iptables -P FORWARD ACCEPT
 # Setup masquerading on default route dev to public subnet
 DEFAULT_ROUTE_DEV="$(sudo ip -4 route list 0/0 | awk '{ print $5; exit }')"
 sudo iptables -t nat -A POSTROUTING -o ${DEFAULT_ROUTE_DEV} -s ${OSH_EXT_SUBNET} -j MASQUERADE
+
+# NOTE(portdirect): Setup DNS for public endpoints
+sudo docker run -d \
+  --name br-ex-dns-server \
+  --net host \
+  --cap-add=NET_ADMIN \
+  --volume /etc/kubernetes/kubelet-resolv.conf:/etc/kubernetes/kubelet-resolv.conf:ro \
+  --entrypoint dnsmasq \
+  docker.io/openstackhelm/neutron:newton \
+    --keep-in-foreground \
+    --no-hosts \
+    --resolv-file=/etc/kubernetes/kubelet-resolv.conf \
+    --address="/svc.cluster.local/${OSH_BR_EX_ADDR%/*}" \
+    --listen-address="${OSH_BR_EX_ADDR%/*}"
+sleep 1
+sudo docker top br-ex-dns-server
diff --git a/tools/deployment/developer/common/900-use-it.sh b/tools/deployment/developer/common/900-use-it.sh
index 1ca518a0a0..9c656624f3 100755
--- a/tools/deployment/developer/common/900-use-it.sh
+++ b/tools/deployment/developer/common/900-use-it.sh
@@ -61,6 +61,7 @@ openstack stack create --wait \
     --parameter image="${IMAGE_NAME}" \
     --parameter ssh_key=${OSH_VM_KEY_STACK} \
     --parameter cidr=${OSH_PRIVATE_SUBNET} \
+    --parameter dns_nameserver=${OSH_BR_EX_ADDR%/*} \
     -t ./tools/gate/files/heat-basic-vm-deployment.yaml \
     heat-basic-vm-deployment
 
@@ -97,6 +98,9 @@ ssh -i ${HOME}/.ssh/osh_key cirros@${FLOATING_IP} ping -q -c 1 -W 2 ${OSH_BR_EX_
 # Check the VM can reach the metadata server
 ssh -i ${HOME}/.ssh/osh_key cirros@${FLOATING_IP} curl --verbose --connect-timeout 5 169.254.169.254
 
+# Check the VM can reach the keystone server
+ssh -i ${HOME}/.ssh/osh_key cirros@${FLOATING_IP} curl --verbose --connect-timeout 5 keystone.openstack.svc.cluster.local
+
 # Check to see if cinder has been deployed, if it has then perform a volume attach.
 if helm ls --short | grep -q "^cinder$"; then
   INSTANCE_ID=$(openstack stack output show \
diff --git a/tools/gate/files/heat-basic-vm-deployment.yaml b/tools/gate/files/heat-basic-vm-deployment.yaml
index 1c5d05ab5b..352cac5596 100644
--- a/tools/gate/files/heat-basic-vm-deployment.yaml
+++ b/tools/gate/files/heat-basic-vm-deployment.yaml
@@ -17,6 +17,11 @@ parameters:
     type: string
     default: 10.11.11.0/24
 
+  dns_nameserver:
+    type: comma_delimited_list
+    description: address of a dns nameserver reachable in your environment
+    default: 8.8.8.8
+
 resources:
   flavor:
     type: OS::Nova::Flavor
@@ -65,8 +70,7 @@ resources:
       cidr:
         get_param: cidr
       dns_nameservers:
-        - 8.8.8.8
-        - 8.8.4.4
+        get_param: dns_nameserver
 
   port_security_group:
     type: OS::Neutron::SecurityGroup
diff --git a/tools/gate/playbooks/osh-infra-upgrade-host.yaml b/tools/gate/playbooks/osh-infra-upgrade-host.yaml
index 0e42a8e733..495b5cb99c 100644
--- a/tools/gate/playbooks/osh-infra-upgrade-host.yaml
+++ b/tools/gate/playbooks/osh-infra-upgrade-host.yaml
@@ -34,6 +34,8 @@
   roles:
     - upgrade-host
     - start-zuul-console
+    - disable-local-nameserver
   tags:
     - upgrade-host
     - start-zuul-console
+    - disable-local-nameserver