diff --git a/custom_helm_charts/nzbget/templates/deployment.yaml b/custom_helm_charts/nzbget/templates/deployment.yaml
index e5344f1..74c8260 100644
--- a/custom_helm_charts/nzbget/templates/deployment.yaml
+++ b/custom_helm_charts/nzbget/templates/deployment.yaml
@@ -44,6 +44,10 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- with .Values.command }}
+          command:
+{{ toYaml . | indent 12 }}
+          {{- end }}
           env:
 {{ toYaml .Values.env | indent 12 }}
           ports:
diff --git a/helm-values/nzbget_values.yaml b/helm-values/nzbget_values.yaml
index 18e0563..a990179 100644
--- a/helm-values/nzbget_values.yaml
+++ b/helm-values/nzbget_values.yaml
@@ -5,6 +5,25 @@ image:
   tag: "latest"
   pullPolicy: Always
 
+# Wait for the gluetun sidecar's tunnel to come up before starting nzbget.
+# Without this, nzbget races gluetun on pod start: /etc/resolv.conf points at
+# 10.128.0.1 (reachable only via the tunnel), so during the ~20s gluetun takes
+# to establish WireGuard, every DNS lookup from nzbget fails with EAI_AGAIN.
+# Any items in the queue at that moment hit nzbget's per-file HealthCheck
+# threshold (~97.9%) and get auto-cancelled — even ones that would otherwise
+# complete fine. Polling DNS resolution is the direct test: if it resolves,
+# the tunnel is up and DNS works.
+command:
+  - sh
+  - -c
+  - |
+    until nslookup news.newshosting.com >/dev/null 2>&1; do
+      echo "waiting for gluetun tunnel + DNS..."
+      sleep 2
+    done
+    echo "tunnel up, starting nzbget"
+    exec /init
+
 env:
   - name: PUID
     value: "1000"