diff --git a/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix b/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix
index 0bfa8ec..02e19bf 100644
--- a/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix
+++ b/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix
@@ -90,5 +90,8 @@
         prismlauncher
       ];
     };
+
+    ## Networking
+    networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
   };
 }
diff --git a/hosts/microserver.home.ts.hillion.co.uk/default.nix b/hosts/microserver.home.ts.hillion.co.uk/default.nix
index df90011..5a8f83e 100644
--- a/hosts/microserver.home.ts.hillion.co.uk/default.nix
+++ b/hosts/microserver.home.ts.hillion.co.uk/default.nix
@@ -47,6 +47,7 @@
     services.iperf3.enable = true;
     services.iperf3.openFirewall = true;
 
+    networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
     networking.firewall.interfaces = {
       "eth0" = {
         allowedUDPPorts = [
diff --git a/hosts/router.home.ts.hillion.co.uk/default.nix b/hosts/router.home.ts.hillion.co.uk/default.nix
index 715b7fc..33ba706 100644
--- a/hosts/router.home.ts.hillion.co.uk/default.nix
+++ b/hosts/router.home.ts.hillion.co.uk/default.nix
@@ -161,7 +161,7 @@
                   }
                   {
                     name = "domain-name-servers";
-                    data = "1.1.1.1, 8.8.8.8";
+                    data = "10.64.50.1, 1.1.1.1, 8.8.8.8";
                   }
                 ];
                 reservations = [
@@ -202,7 +202,7 @@
                   }
                   {
                     name = "domain-name-servers";
-                    data = "1.1.1.1, 8.8.8.8";
+                    data = "10.239.19.1, 1.1.1.1, 8.8.8.8";
                   }
                 ];
                 reservations = [
@@ -224,6 +224,36 @@
           };
         };
       };
+
+      unbound = {
+        enable = true;
+        settings = {
+          server = {
+            interface = [
+              "127.0.0.1"
+              "10.64.50.1"
+              "10.239.19.1"
+            ];
+            access-control = [
+              "10.64.50.0/24 allow"
+              "10.239.19.0/24 allow"
+            ];
+          };
+
+          forward-zone = [
+            {
+              name = ".";
+              forward-tls-upstream = "yes";
+              forward-addr = [
+                "1.1.1.1#cloudflare-dns.com"
+                "1.0.0.1#cloudflare-dns.com"
+                "8.8.8.8#dns.google"
+                "8.8.4.4#dns.google"
+              ];
+            }
+          ];
+        };
+      };
     };
 
     ## Tailscale
diff --git a/hosts/theon.storage.ts.hillion.co.uk/default.nix b/hosts/theon.storage.ts.hillion.co.uk/default.nix
index ab325c9..8186a2b 100644
--- a/hosts/theon.storage.ts.hillion.co.uk/default.nix
+++ b/hosts/theon.storage.ts.hillion.co.uk/default.nix
@@ -23,6 +23,7 @@
     ## Networking
     systemd.network.enable = true;
 
+    networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
     networking.firewall = {
       trustedInterfaces = [ "tailscale0" ];
       allowedTCPPorts = lib.mkForce [
diff --git a/hosts/tywin.storage.ts.hillion.co.uk/default.nix b/hosts/tywin.storage.ts.hillion.co.uk/default.nix
index bfe08a8..8d71cb7 100644
--- a/hosts/tywin.storage.ts.hillion.co.uk/default.nix
+++ b/hosts/tywin.storage.ts.hillion.co.uk/default.nix
@@ -211,7 +211,8 @@
       openFirewall = true;
     };
 
-    ## Firewall
+    ## Networking
+    networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
     networking.firewall.interfaces."tailscale0".allowedTCPPorts = [
       80 # Caddy (restic.tywin.storage.ts.)
       14002 # Storj Dashboard (d0.)