diff --git a/os/dns/default.nix b/os/dns/default.nix
index 0a8749b..0e93a0c 100644
--- a/os/dns/default.nix
+++ b/os/dns/default.nix
@@ -1,43 +1,13 @@
 {
-  config,
   ...
 }:
 {
   config = {
-    services.resolved = {
+    services.dnsmasq = {
       # We want to be able to have two VPNs active at once.
-      # Not an issue for routing, but only systemd-resolved seems to be able to handle
-      # directing DNS requests of an interface search domain the right DNS server.
+      # Not an issue for routing, but we need local DNS with conditional forwarding.
       enable = true;
-      # Note: resolvectl allows to debug DNS issues
-
-      # Don't use Google or CloudFlare servers as a fallback, instead use some from OpenNIC
-      fallbackDns = [
-        # ns1.nl
-        "80.78.132.79"
-        "2a0d:2146:2404::1069"
-        # ns3.de
-        "202.61.197.122"
-        "2a03:4000:59:ef::"
-      ];
+      resolveLocalQueries = true;
     };
-
-    # Shenanigans as it doesn't work out of the box, obviously 🙃
-    nixpkgs.overlays = [
-      (self: super: {
-        # UPST OpenVPN's script has systemd and openresolv in its path,
-        # and ends up using the latter... we don't want that.
-        update-resolv-conf = super.update-resolv-conf.override {
-          openresolv = config.networking.resolvconf.package;
-        };
-        # wg-quick seems to be too fast for systemd-resolved.
-        # Of course the issue disappears with strace. But also with a sleep, so...
-        wireguard-tools = super.wireguard-tools.overrideAttrs (old: {
-          patches = (old.patches or [ ]) ++ [
-            ./wireguard-tools.patch
-          ];
-        });
-      })
-    ];
   };
 }