diff --git a/nix/lib/config/legacy.nix b/nix/lib/config/legacy.nix
index 7361430..a323b6b 100644
--- a/nix/lib/config/legacy.nix
+++ b/nix/lib/config/legacy.nix
@@ -61,6 +61,19 @@ in
       {
         mgmt-gw.firewall.enable = true;
         priv13-gw.firewall.enable = true;
+
+        dnscache = {
+          role = "container";
+          location = "server2";
+
+          interfaces.serv = {
+            gw4 = "serv-gw";
+            gw6 = "serv-gw";
+            type = "veth";
+          };
+
+          services.dnscache.enable = true;
+        };
       }
 
       (builtins.foldl' (result: hostName: result // {
diff --git a/nix/lib/config/options.nix b/nix/lib/config/options.nix
index 687e288..2fc2990 100644
--- a/nix/lib/config/options.nix
+++ b/nix/lib/config/options.nix
@@ -232,6 +232,10 @@ let
           options = bgpOpts;
         });
       };
+      services.dnscache.enable = mkOption {
+        type = types.bool;
+        default = false;
+      };
     };
   };
   bgpOpts = {
diff --git a/nix/nixos-module/container/dnscache.nix b/nix/nixos-module/container/dnscache.nix
new file mode 100644
index 000000000..accd48a
--- /dev/null
+++ b/nix/nixos-module/container/dnscache.nix
@@ -0,0 +1,150 @@
+{ hostName, config, lib, ... }:
+
+lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
+  services.unbound = {
+    enable = true;
+    interfaces = [ "0.0.0.0" "::0" ];
+    # TODO: generate
+    allowedAccess = [
+      "fd23:42:c3d2:500::/56"
+      "2a02:8106:208:5200::/56"
+      "2a02:8106:211:e900::/56"
+      "::172.20.72.0/117"
+      "::172.22.99.0/120"
+      "::1/128"
+      "172.20.72.0/21"
+      "10.0.0.0/24"
+      "10.200.0.0/15"
+      "172.22.99.0/24"
+      "127.0.0.0/8"
+    ];
+    extraConfig = ''
+      forward-zone:
+        name: "."
+        forward-tls-upstream: yes
+        # Quad9
+        forward-addr: 2620:fe::fe@853#dns.quad9.net
+        forward-addr: 9.9.9.9@853#dns.quad9.net
+        forward-addr: 2620:fe::9@853#dns.quad9.net
+        forward-addr: 149.112.112.112@853#dns.quad9.net
+        # Cloudflare DNS
+        forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
+        forward-addr: 1.1.1.1@853#cloudflare-dns.com
+        forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
+        forward-addr: 1.0.0.1@853#cloudflare-dns.com
+
+      server:
+        # allow reverse lookup of rfc1918 space, which includes the DN42 address space
+        unblock-lan-zones: yes
+        insecure-lan-zones: yes
+
+        domain-insecure: "dn42"
+        domain-insecure: "20.172.in-addr.arpa"
+        domain-insecure: "21.172.in-addr.arpa"
+        domain-insecure: "22.172.in-addr.arpa"
+        domain-insecure: "99.22.172.in-addr.arpa"
+        domain-insecure: "23.172.in-addr.arpa"
+        domain-insecure: "d.f.ip6.arpa"
+        domain-insecure: "ffdd"
+        domain-insecure: "200.10.in-addr.arpa"
+        domain-insecure: "201.10.in-addr.arpa"
+        local-zone: "20.172.in-addr.arpa." nodefault
+        local-zone: "21.172.in-addr.arpa." nodefault
+        local-zone: "22.172.in-addr.arpa." nodefault
+        local-zone: "99.22.172.in-addr.arpa." nodefault
+        local-zone: "23.172.in-addr.arpa." nodefault
+        local-zone: "d.f.ip6.arpa." nodefault
+        local-zone: "200.10.in-addr.arpa." nodefault
+        local-zone: "201.10.in-addr.arpa." nodefault
+
+      # Local networks
+
+      forward-zone:
+        name: "zentralwerk.dn42"
+        forward-host: "dns.serv.zentralwerk.org"
+
+      forward-zone:
+        name: "72.20.172.in-addr.arpa"
+        forward-host: "dns.serv.zentralwerk.org"
+
+      forward-zone:
+        name: "73.20.172.in-addr.arpa"
+        forward-host: "dns.serv.zentralwerk.org"
+
+      forward-zone:
+        name: "74.20.172.in-addr.arpa"
+        forward-host: "dns.serv.zentralwerk.org"
+
+      forward-zone:
+        name: "75.20.172.in-addr.arpa"
+        forward-host: "dns.serv.zentralwerk.org"
+
+      forward-zone:
+        name: "76.20.172.in-addr.arpa"
+        forward-host: "dns.serv.zentralwerk.org"
+
+      forward-zone:
+        name: "77.20.172.in-addr.arpa"
+        forward-host: "dns.serv.zentralwerk.org"
+
+      forward-zone:
+        name: "0.0.5.0.2.d.3.c.4.2.0.0.3.2.d.f.ip6.arpa"
+        forward-host: "dns.serv.zentralwerk.org"
+
+      # C3D2 reverse
+
+      forward-zone:
+        name: "99.22.172.in-addr.arpa"
+        forward-host: "ns.c3d2.de"
+
+      # Freifunk
+
+      forward-zone:
+        name: "ffdd"
+        forward-addr: 10.200.0.4
+        forward-addr: 10.200.0.16
+
+      forward-zone:
+        name: "200.10.in-addr.arpa"
+        forward-addr: 10.200.0.4
+        forward-addr: 10.200.0.16
+
+      forward-zone:
+        name: "201.10.in-addr.arpa"
+        forward-addr: 10.200.0.4
+        forward-addr: 10.200.0.16
+
+      # DN42
+
+      stub-zone:
+        name: "dn42"
+        stub-prime: yes
+        stub-addr: 172.23.0.53
+
+      stub-zone:
+        name: "20.172.in-addr.arpa"
+        stub-prime: yes
+        stub-addr: 172.23.0.53
+
+      stub-zone:
+        name: "21.172.in-addr.arpa"
+        stub-prime: yes
+        stub-addr: 172.23.0.53
+
+      stub-zone:
+        name: "22.172.in-addr.arpa"
+        stub-prime: yes
+        stub-addr: 172.23.0.53
+
+      stub-zone:
+        name: "23.172.in-addr.arpa"
+        stub-prime: yes
+        stub-addr: 172.23.0.53
+
+      stub-zone:
+        name: "d.f.ip6.arpa"
+        stub-prime: yes
+        stub-addr: 172.23.0.53
+    '';
+  };
+}
diff --git a/nix/nixos-module/default.nix b/nix/nixos-module/default.nix
index 75e9a53..51638b5 100644
--- a/nix/nixos-module/default.nix
+++ b/nix/nixos-module/default.nix
@@ -28,6 +28,7 @@ in {
     ./container/defaults.nix
     ./container/dhcp-server.nix
     ./container/anon.nix
+    ./container/dnscache.nix
   ] ++
   optionals lib.config.site.hosts.${hostName}.isRouter [
     ./container/bird.nix