diff --git a/network/service_net_map.j2.yaml b/network/service_net_map.j2.yaml
index 0b4d1de5df..c90a69602a 100644
--- a/network/service_net_map.j2.yaml
+++ b/network/service_net_map.j2.yaml
@@ -80,6 +80,7 @@ parameters:
       PacemakerRemoteNetwork: internal_api
       TripleoUINetwork: internal_api
       DesignateApiNetwork: internal_api
+      BINDNetwork: external
       # We special-case the default ResolveNetwork for the CephStorage role
       # for backwards compatibility, all other roles default to internal_api
       CephStorageHostnameResolveNetwork: storage
diff --git a/puppet/services/designate-worker.yaml b/puppet/services/designate-worker.yaml
index 95ef312853..c76f0abb0d 100644
--- a/puppet/services/designate-worker.yaml
+++ b/puppet/services/designate-worker.yaml
@@ -69,6 +69,13 @@ outputs:
         map_merge:
         - get_attr: [DesignateBase, role_data, config_settings]
         - designate::worker::worker_notify: true
+          dns::additional_options:
+            listen-on:
+              str_replace:
+                template:
+                  "{ 127.0.0.1; %{hiera('$NETWORK')}; }"
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, BINDNetwork]}
           tripleo.designate_worker.firewall_rules:
             '140 designate_worker udp':
               proto: 'udp'