diff --git a/data_safe_haven/infrastructure/programs/declarative_sre.py b/data_safe_haven/infrastructure/programs/declarative_sre.py
index dc3ab43ea1..02cc59b71c 100644
--- a/data_safe_haven/infrastructure/programs/declarative_sre.py
+++ b/data_safe_haven/infrastructure/programs/declarative_sre.py
@@ -123,6 +123,7 @@ def __call__(self) -> None:
             "sre_dns_server",
             self.stack_name,
             SREDnsServerProps(
+                allow_workspace_internet=self.config.sre.allow_workspace_internet,
                 dockerhub_credentials=dockerhub_credentials,
                 location=self.config.azure.location,
                 resource_group_name=resource_group.name,
diff --git a/data_safe_haven/infrastructure/programs/sre/dns_server.py b/data_safe_haven/infrastructure/programs/sre/dns_server.py
index df85e09d83..b50c908f86 100644
--- a/data_safe_haven/infrastructure/programs/sre/dns_server.py
+++ b/data_safe_haven/infrastructure/programs/sre/dns_server.py
@@ -28,12 +28,15 @@ class SREDnsServerProps:
 
     def __init__(
         self,
+        *,
+        allow_workspace_internet: bool,
         dockerhub_credentials: DockerHubCredentials,
         location: Input[str],
         resource_group_name: Input[str],
         shm_fqdn: Input[str],
     ) -> None:
         self.admin_username = "dshadmin"
+        self.allow_workspace_internet: bool = allow_workspace_internet
         self.dockerhub_credentials = dockerhub_credentials
         self.location = location
         self.resource_group_name = resource_group_name
@@ -69,6 +72,9 @@ def __init__(
         )
 
         # Expand AdGuardHome YAML configuration
+        mustache_values: dict[str, object] = {
+            "allow_workspace_internet": props.allow_workspace_internet
+        }
         adguard_adguardhome_yaml_contents = Output.all(
             admin_username=props.admin_username,
             # Only the first 72 bytes of the generated random string will be used but a
@@ -85,8 +91,8 @@ def __init__(
                 ]
             ),
         ).apply(
-            lambda mustache_values: adguard_adguardhome_yaml_reader.file_contents(
-                mustache_values
+            lambda mustache_config: adguard_adguardhome_yaml_reader.file_contents(
+                mustache_config | mustache_values
             )
         )
 
diff --git a/data_safe_haven/resources/dns_server/AdGuardHome.mustache.yaml b/data_safe_haven/resources/dns_server/AdGuardHome.mustache.yaml
index eef58d5a0a..9c75067956 100644
--- a/data_safe_haven/resources/dns_server/AdGuardHome.mustache.yaml
+++ b/data_safe_haven/resources/dns_server/AdGuardHome.mustache.yaml
@@ -11,12 +11,17 @@ dns:
 querylog:
   enabled: true
 filters:
+{{#allow_workspace_internet}}
+user_rules: []
+{{/allow_workspace_internet}}
+{{^allow_workspace_internet}}
 user_rules:
   # https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists#adblock-style-syntax
   - "*.*"
   {{#filter_allow}}
   - "@@||{{.}}"
   {{/filter_allow}}
+{{/allow_workspace_internet}}
 log:
   verbose: true
 # Note that because we are only providing a partial config file we need the
diff --git a/tests/infrastructure/programs/sre/conftest.py b/tests/infrastructure/programs/sre/conftest.py
index 142dc07947..11e9997c11 100644
--- a/tests/infrastructure/programs/sre/conftest.py
+++ b/tests/infrastructure/programs/sre/conftest.py
@@ -150,3 +150,11 @@ def subnet_workspaces() -> network.GetSubnetResult:
         address_prefix=SREIpRanges.workspaces.prefix,
         id="subnet_workspaces_id",
     )
+
+
+@fixture
+def subnet_monitoring() -> network.GetSubnetResult:
+    return network.GetSubnetResult(
+        address_prefix=SREIpRanges.monitoring.prefix,
+        id="subnet_monitoring_id",
+    )