diff --git a/os/default.nix b/os/default.nix
index 644245e..a9381be 100644
--- a/os/default.nix
+++ b/os/default.nix
@@ -11,6 +11,7 @@
     ./desktop
     ./dev
     disko.nixosModules.disko
+    ./dns
     ./gaming
     ./geoffrey.nix
     ./password
diff --git a/os/dns/default.nix b/os/dns/default.nix
new file mode 100644
index 0000000..0a8749b
--- /dev/null
+++ b/os/dns/default.nix
@@ -0,0 +1,43 @@
+{
+  config,
+  ...
+}:
+{
+  config = {
+    services.resolved = {
+      # We want to be able to have two VPNs active at once.
+      # Not an issue for routing, but only systemd-resolved seems to be able to handle
+      # directing DNS requests of an interface search domain the right DNS server.
+      enable = true;
+      # Note: resolvectl allows to debug DNS issues
+
+      # Don't use Google or CloudFlare servers as a fallback, instead use some from OpenNIC
+      fallbackDns = [
+        # ns1.nl
+        "80.78.132.79"
+        "2a0d:2146:2404::1069"
+        # ns3.de
+        "202.61.197.122"
+        "2a03:4000:59:ef::"
+      ];
+    };
+
+    # Shenanigans as it doesn't work out of the box, obviously 🙃
+    nixpkgs.overlays = [
+      (self: super: {
+        # UPST OpenVPN's script has systemd and openresolv in its path,
+        # and ends up using the latter... we don't want that.
+        update-resolv-conf = super.update-resolv-conf.override {
+          openresolv = config.networking.resolvconf.package;
+        };
+        # wg-quick seems to be too fast for systemd-resolved.
+        # Of course the issue disappears with strace. But also with a sleep, so...
+        wireguard-tools = super.wireguard-tools.overrideAttrs (old: {
+          patches = (old.patches or [ ]) ++ [
+            ./wireguard-tools.patch
+          ];
+        });
+      })
+    ];
+  };
+}
diff --git a/os/dns/wireguard-tools.patch b/os/dns/wireguard-tools.patch
new file mode 100644
index 0000000..c400d7c
--- /dev/null
+++ b/os/dns/wireguard-tools.patch
@@ -0,0 +1,10 @@
+--- src/wg-quick/linux.bash
++++ src/wg-quick/linux.bash
+@@ -153,6 +153,7 @@
+ HAVE_SET_DNS=0
+ set_dns() {
+ 	[[ ${#DNS[@]} -gt 0 ]] || return 0
++	sleep 0.1
+ 	{ printf 'nameserver %s\n' "${DNS[@]}"
+ 	  [[ ${#DNS_SEARCH[@]} -eq 0 ]] || printf 'search %s\n' "${DNS_SEARCH[*]}"
+ 	} | cmd resolvconf -a "$(resolvconf_iface_prefix)$INTERFACE" -m 0 -x