diff --git a/dhcpd/acl_security.pl b/dhcpd/acl_security.pl
index 342b8fb38..ad81325a7 100755
--- a/dhcpd/acl_security.pl
+++ b/dhcpd/acl_security.pl
@@ -33,6 +33,13 @@ printf "<input type=radio name=w_leases value=0 %s> $text{'no'}</td>\n",
 		$_[0]->{'w_leases'} ? "" : "checked";
 print "</tr>\n";
 
+print "<tr>\n<td><b>$text{'acl_zones'}</b></td> <td>\n";
+printf "<input type=radio name=zones value=1 %s> $text{'yes'}\n",
+		$_[0]->{'zones'} ? "checked" : "";
+printf "<input type=radio name=zones value=0 %s> $text{'no'}</td>\n",
+		$_[0]->{'zones'} ? "" : "checked";
+print "</tr>\n";
+
 print "<tr> <td colspan=4><hr></td> </tr>\n";
 
 # uniqs
@@ -170,6 +177,7 @@ $_[0]->{'apply'}=$in{'apply'};
 $_[0]->{'global'}=$in{'global'};
 $_[0]->{'r_leases'}=$in{'r_leases'};
 $_[0]->{'w_leases'}=$in{'w_leases'};
+$_[0]->{'zones'}=$in{'zones'};
 $_[0]->{'uniq_hst'}=$in{'uniq_hst'};
 $_[0]->{'uniq_sub'}=$in{'uniq_sub'};
 $_[0]->{'uniq_sha'}=$in{'uniq_sha'};
diff --git a/dhcpd/edit_zones.cgi b/dhcpd/edit_zones.cgi
index 559b7f44c..922006f35 100755
--- a/dhcpd/edit_zones.cgi
+++ b/dhcpd/edit_zones.cgi
@@ -8,6 +8,7 @@
 require './dhcpd-lib.pl';
 require './params-lib.pl';
 &ReadParse();
+$access{'zones'} || &error($text{'zone_ecannot'});
 $conf = &get_config();
 $in{'new'} || (($par, $zone) = &get_branch('zone'));
 $sconf = $zone->{'members'};
diff --git a/dhcpd/index.cgi b/dhcpd/index.cgi
index 44cb422e1..3cf2ffa37 100755
--- a/dhcpd/index.cgi
+++ b/dhcpd/index.cgi
@@ -443,7 +443,7 @@ print &ui_hr();
 
 ############ START ZONES #####
 
-if ($config{'dhcpd_version'} >= 3) {
+if ($config{'dhcpd_version'} >= 3 && $access{'zones'}) {
 	print &ui_subheading($text{'zone_key'});
 
 	# get zones
diff --git a/dhcpd/lang/en b/dhcpd/lang/en
index 3b893100d..973aeaf18 100644
--- a/dhcpd/lang/en
+++ b/dhcpd/lang/en
@@ -393,6 +393,7 @@ eacl_papply=restart this service
 acl_apply=Can apply changes?
 acl_r_leases=Can view leases?
 acl_w_leases=Can remove leases?
+acl_zones=Can edit dynamic DNS zones?
 acl_global=Can edit global options?
 acl_uniq_hst=Uniq host names?
 acl_uniq_sub=Uniq subnet IP addresses?
@@ -432,7 +433,7 @@ lookup_esubnetname=No subnet address or address/netmask entered
 lookup_eshared=No shared network with the name $1 exists
 lookup_esharedname=No shared network name entered
 
-zone_key=DNS-zones
+zone_key=DNS Zones
 index_addzone=Add a new DNS zone.
 index_zone=Zone
 index_nozones=No DNS zones have been defined yet.
@@ -446,6 +447,7 @@ zone_return=main menu
 zone_faildel=Failed to delete zone
 zone_failsave=Failed to save zone
 zone_tsigkey=TSIG key
+zone_ecannot=You are not allowed to edit DNS zones
 
 plib_clientupdates=Can clients update their own records?
 
diff --git a/dhcpd/save_zones.cgi b/dhcpd/save_zones.cgi
index 84924b468..dbcb8863d 100755
--- a/dhcpd/save_zones.cgi
+++ b/dhcpd/save_zones.cgi
@@ -8,6 +8,7 @@
 require './dhcpd-lib.pl';
 require './params-lib.pl';
 &ReadParse();
+$access{'zones'} || &error($text{'zone_ecannot'});
 &lock_file($config{'dhcpd_conf'});
 
 unless ($in{'new'}){  # on change or delete