diff --git a/lib.nix b/lib.nix
index bc254590..fc80719d 100644
--- a/lib.nix
+++ b/lib.nix
@@ -87,7 +87,7 @@ in {
   gensokyo-zone = {
     inherit inputs;
     inherit (inputs) self;
-    inherit (inputs.self.lib) tree meta lib;
+    inherit (inputs.self.lib) tree meta lib systems;
   };
   generate = import ./generate.nix {inherit inputs tree;};
 }
diff --git a/modules/extern/nixos/dns.nix b/modules/extern/nixos/dns.nix
new file mode 100644
index 00000000..b90581ef
--- /dev/null
+++ b/modules/extern/nixos/dns.nix
@@ -0,0 +1,140 @@
+{
+  config,
+  lib,
+  gensokyo-zone,
+  pkgs,
+  ...
+}: let
+  inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
+  inherit (lib.options) mkOption mkEnableOption;
+  inherit (lib.modules) mkIf mkMerge mkOrder mkBefore mkOptionDefault;
+  inherit (lib.lists) optionals;
+  inherit (gensokyo-zone.lib) unmerged;
+  cfg = config.gensokyo-zone.dns;
+  dnsModule = {
+    gensokyo-zone,
+    nixosConfig,
+    config,
+    pkgs,
+    ...
+  }: let
+    inherit (gensokyo-zone.lib) unmerged;
+    inherit (nixosConfig.gensokyo-zone) access;
+    inherit (nixosConfig.networking) enableIPv6;
+    enabled = {
+      resolved = nixosConfig.services.resolved.enable;
+      avahiResolver = nixosConfig.services.avahi.enable && (nixosConfig.services.avahi.nssmdns4 || nixosConfig.services.avahi.nssmdns4);
+      tailscale = access.tail.enabled;
+    };
+  in {
+    options = with lib.types; {
+      enable = mkEnableOption "dns settings";
+      prioritise = mkOption {
+        type = bool;
+        description = "prioritize our resolver over systemd-resolved";
+      };
+      fixHostname = mkOption {
+        type = bool;
+        default = true;
+        description = "work around https://github.com/NixOS/nixpkgs/issues/132646";
+      };
+      nameservers = mkOption {
+        type = listOf str;
+      };
+      fallback = mkOption {
+        type = nullOr (enum [ "cloudflare" "google" ]);
+        default = "cloudflare";
+      };
+      fallbackNameservers = mkOption {
+        type = listOf str;
+        description = "set by config.fallback";
+      };
+      set = {
+        resolvedSettings = mkOption {
+          type = unmerged.type;
+          default = {};
+        };
+        nssSettings = mkOption {
+          type = unmerged.type;
+          default = {};
+        };
+      };
+    };
+    config = {
+      prioritise = mkMerge [
+        (mkOptionDefault false)
+        (mkIf (access.local.enable && (enabled.resolved || enabled.avahiResolver)) (mkAlmostOptionDefault true))
+      ];
+      nameservers = let
+        inherit (gensokyo-zone.systems) utsuho hakurei;
+      in mkMerge [
+        (mkIf access.local.enable [
+          (mkIf enableIPv6 utsuho.config.access.address6ForNetwork.local)
+          utsuho.config.access.address4ForNetwork.local
+        ])
+        # TODO: mirror or tunnel on hakurei or something .-.
+        (mkIf (access.tail.enabled && false) [
+          (mkIf enableIPv6 hakurei.config.access.address6ForNetwork.tail)
+          hakurei.config.access.address4ForNetwork.tail
+        ])
+      ];
+      fallbackNameservers = mkOptionDefault {
+        cloudflare = [
+          "1.1.1.1#cloudflare-dns.com"
+          "1.0.0.1#cloudflare-dns.com"
+        ];
+        google = optionals enableIPv6 [
+          "[2001:4860:4860::8888]#dns.google"
+          "[2001:4860:4860::8844]#dns.google"
+        ] ++ [
+          "8.8.8.8#dns.google"
+          "8.8.4.4#dns.google"
+        ];
+        ${toString null} = [ ];
+      }.${toString config.fallback};
+      set = {
+        nssSettings = {
+          hosts = mkMerge [
+            (mkIf config.prioritise (mkOrder 475 ["dns"]))
+            (mkIf (config.fixHostname && nixosConfig.services.resolved.enable) (mkOrder 450 ["files"]))
+          ];
+        };
+        resolvedSettings = {
+          # TODO: enable = mkIf (!resolved.enable) false;
+          extraConfig = mkIf config.prioritise ''
+            DNSStubListener=no
+          '';
+        };
+      };
+    };
+  };
+in {
+  imports = [
+    ./access.nix
+  ];
+
+  options.gensokyo-zone.dns = mkOption {
+    type = lib.types.submoduleWith {
+      modules = [dnsModule];
+      specialArgs = {
+        inherit gensokyo-zone pkgs;
+        inherit (gensokyo-zone) inputs;
+        nixosConfig = config;
+      };
+    };
+    default = { };
+  };
+
+  config = {
+    networking.nameservers = mkIf (cfg.enable && cfg.nameservers != [ ]) (mkMerge [
+      (mkBefore cfg.nameservers)
+      cfg.fallbackNameservers
+    ]);
+    services.resolved = mkIf cfg.enable (unmerged.merge cfg.set.resolvedSettings);
+    system.nssDatabases = mkIf cfg.enable (unmerged.merge cfg.set.nssSettings);
+    # TODO: networking.hosts? many served by dnsmasq are statically determined anyway...
+    lib.gensokyo-zone.dns = {
+      inherit cfg dnsModule;
+    };
+  };
+}
diff --git a/modules/extern/nixos/krb5.nix b/modules/extern/nixos/krb5.nix
index c3a2c445..a045abc3 100644
--- a/modules/extern/nixos/krb5.nix
+++ b/modules/extern/nixos/krb5.nix
@@ -350,6 +350,13 @@ in {
     services.ntp.enable = mkIf (cfg.enable && cfg.ntp.enable) (mkAlmostOptionDefault true);
     networking = {
       timeServers = mkIf (cfg.enable && cfg.ntp.enable) cfg.ntp.servers;
+      hosts = let
+        inherit (gensokyo-zone.systems) freeipa;
+        # TODO: consider hakurei instead...
+      in mkIf (cfg.enable && !config.gensokyo-zone.dns.enable or false && config.gensokyo-zone.access.local.enable) {
+        ${freeipa.config.access.address6ForNetwork.local} = mkIf config.networking.enableIPv6 (mkBefore [ cfg.host ]);
+        ${freeipa.config.access.address4ForNetwork.local} = mkBefore [ cfg.host ];
+      };
     };
     ${if options ? sops.secrets then "sops" else null}.secrets = let
       sopsFile = mkDefault ../secrets/krb5.yaml;
diff --git a/nixos/base/network.nix b/nixos/base/network.nix
index 99565bdd..8559d9e0 100644
--- a/nixos/base/network.nix
+++ b/nixos/base/network.nix
@@ -21,6 +21,6 @@ in {
 
   # work around https://github.com/NixOS/nixpkgs/issues/132646
   system.nssDatabases.hosts = mkIf config.services.resolved.enable (
-    mkOrder 500 [ "files" ]
+    mkOrder 450 [ "files" ]
   );
 }
diff --git a/nixos/reisen-ct/network.nix b/nixos/reisen-ct/network.nix
index 89b9c3cc..85359326 100644
--- a/nixos/reisen-ct/network.nix
+++ b/nixos/reisen-ct/network.nix
@@ -32,7 +32,7 @@ in {
   # prioritize our resolver over systemd-resolved!
   system.nssDatabases.hosts = let
     avahiResolverEnabled = config.services.avahi.enable && (config.services.avahi.nssmdns4 || config.services.avahi.nssmdns4);
-  in mkIf (enableDns && (config.services.resolved.enable || avahiResolverEnabled)) (mkOrder 499 ["dns"]);
+  in mkIf (enableDns && (config.services.resolved.enable || avahiResolverEnabled)) (mkOrder 475 ["dns"]);
   services.resolved.extraConfig = mkIf enableDns ''
     DNSStubListener=no
   '';
diff --git a/systems/extern-test/nixos.nix b/systems/extern-test/nixos.nix
index 773a5503..20f7bd97 100644
--- a/systems/extern-test/nixos.nix
+++ b/systems/extern-test/nixos.nix
@@ -28,6 +28,9 @@ in {
         sssd.enable = true;
         nfs.enable = true;
       };
+      dns = {
+        # TODO: enable = true;
+      };
       # TODO: users?
     };