diff --git a/nix/lib/config/legacy.nix b/nix/lib/config/legacy.nix
index 775d806..3c1f3ef 100644
--- a/nix/lib/config/legacy.nix
+++ b/nix/lib/config/legacy.nix
@@ -63,6 +63,8 @@ in
         mgmt-gw.firewall.enable = true;
         priv13-gw.firewall.enable = true;
 
+        dns.services.dns.enable = true;
+
         dnscache = {
           role = "container";
           location = "server2";
diff --git a/nix/lib/config/options.nix b/nix/lib/config/options.nix
index ba95160..c3667ae 100644
--- a/nix/lib/config/options.nix
+++ b/nix/lib/config/options.nix
@@ -93,7 +93,12 @@ let
       domainName = mkOption {
         description = "Domain name option";
         type = types.str;
-        default = "${name}.zentralwerk.org";
+        default = "${name}.zentralwerk.dn42";
+      };
+      dynamicDomain = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Domain updated by DHCP server?";
       };
     };
   };
@@ -254,6 +259,12 @@ let
           options = bgpOpts;
         });
       };
+      services.dns = {
+        enable = mkOption {
+          type = types.bool;
+          default = false;
+        };
+      };
       services.dnscache.enable = mkOption {
         type = types.bool;
         default = false;
diff --git a/nix/nixos-module/container/dns.nix b/nix/nixos-module/container/dns.nix
new file mode 100644
index 000000000..0ee7c88
--- /dev/null
+++ b/nix/nixos-module/container/dns.nix
@@ -0,0 +1,123 @@
+{ hostName, config, lib, pkgs, self, ... }:
+
+lib.mkIf config.site.hosts.${hostName}.services.dns.enable {
+  services.bind =
+    let
+      fqdn = "${hostName}.serv.zentralwerk.org";
+      # public servers (slaves)
+      publicNS = [ "ns.c3d2.de" "ns.spaceboyz.net" ];
+      # allowed for zone-transfer
+      slaves = [
+        # ns.c3d2.de
+        "217.197.84.53" "2001:67c:1400:2240::a"
+        # ns.spaceboyz.net
+        "172.22.24.4" "2a01:4f9:4b:39ec::4"
+      ];
+
+      serial =
+        let
+          timestamp = toString self.lastModified;
+          datePkg = pkgs.runCommandLocal "date-${timestamp}" {} ''
+            date -d @${timestamp} +%Y%m%d%H > $out
+          '';
+        in
+          toString (import datePkg);
+
+      staticZone = { name, ns, records }: {
+        inherit name;
+        master = true;
+        file = builtins.toFile "${name}.zone" ''
+          $ORIGIN ${name}.
+          $TTL 1h
+
+          @ IN SOA ${fqdn}. astro.spaceboyz.net. (
+              ${serial} ; serial
+              1h ; refresh
+              1m ; retry
+              2h ; expire
+              1m ; minimum
+            )
+          ${lib.concatMapStrings (ns: "  IN NS ${ns}.\n") ns}
+
+          ${lib.concatMapStrings ({ name, type, data }:
+            "${name} IN ${type} ${data}\n"
+          ) records}
+        '';
+      };
+
+      hosts4Records = hosts4:
+        builtins.attrValues (
+          builtins.mapAttrs (name: addr: {
+            inherit name;
+            type = "A";
+            data = addr;
+          }) hosts4
+        );
+      hosts6Records = hosts6:
+        builtins.attrValues (
+          builtins.mapAttrs (name: addr: {
+            inherit name;
+            type = "AAAA";
+            data = addr;
+          }) hosts6
+        );
+
+      # generate zones only for nets with hosts
+      namedNets = lib.filterAttrs (_: { hosts4, hosts6, dynamicDomain, ... }:
+        (hosts4 != [] && hosts6 != []) ||
+        dynamicDomain
+      ) config.site.net;
+
+    in {
+      enable = true;
+      zones = [ (staticZone {
+        name = "zentralwerk.org";
+        ns = publicNS;
+        records = [];
+      }) (staticZone {
+        name = "zentralwerk.dn42";
+        ns = [ fqdn ];
+        records = [ {
+          name = "ipa";
+          type = "A";
+          data = config.site.net.serv.hosts4.ipa;
+        } ];
+      }) (staticZone {
+        name = "dyn.zentralwerk.org";
+        ns = publicNS;
+        # TODO: implement dyndns
+        records = [ {
+          name = "upstream1";
+          type = "A";
+          data = "24.134.104.53";
+        } {
+          name = "upstream2";
+          type = "A";
+          data = "24.134.252.105";
+        } ];
+      }) ] ++ (builtins.concatLists (
+        builtins.attrValues (
+          builtins.mapAttrs (net: { dynamicDomain, hosts4, hosts6, ... }: [
+            (if dynamicDomain
+             then throw "TODO"
+             else staticZone {
+               name = "${net}.zentralwerk.dn42";
+               ns = [ fqdn ];
+               records =
+                 hosts4Records hosts4 ++
+                 lib.optionals (hosts6 ? dn42) (hosts6Records hosts6.dn42);
+             })
+            (staticZone {
+              name = "${net}.zentralwerk.org";
+              ns = publicNS;
+              records =
+                lib.optionals (hosts6 ? up1) (hosts6Records hosts6.up1) ++
+                lib.optionals (hosts6 ? up2) (hosts6Records hosts6.up2);
+            })
+          ]) namedNets
+        )
+      ));
+    };
+
+  # TODO: zentralwerk.{org,dn42}, reverse, dyn, ipa.zentralwerk.dn42
+}
diff --git a/nix/nixos-module/default.nix b/nix/nixos-module/default.nix
index 51638b5..f07b9ad 100644
--- a/nix/nixos-module/default.nix
+++ b/nix/nixos-module/default.nix
@@ -28,6 +28,7 @@ in {
     ./container/defaults.nix
     ./container/dhcp-server.nix
     ./container/anon.nix
+    ./container/dns.nix
     ./container/dnscache.nix
   ] ++
   optionals lib.config.site.hosts.${hostName}.isRouter [