diff --git a/modules/base/network.nix b/modules/base/network.nix
index 8151485..b8560ee 100644
--- a/modules/base/network.nix
+++ b/modules/base/network.nix
@@ -1,4 +1,4 @@
-{lib, ...}: {
+{...}: {
   # https://nixos.wiki/wiki/Networking
   # https://nixos.wiki/wiki/Systemd-networkd
 
@@ -10,7 +10,7 @@
       # Do not spam dmesg/journalctl with refused connections
       logRefusedConnections = false;
     };
-    nameservers = ["127.0.0.1"]; # unbound
+    nameservers = ["127.0.0.53"]; # resolved stub resolver
     search = ["caspervk.net"];
   };
 
@@ -19,34 +19,26 @@
   networking.useNetworkd = true;
   systemd.network.enable = true;
 
-  # Force-disable the systemd-resolved stub resolver, which is enabled
-  # automatically in some cases, such as when enabling systemd-networkd.
-  services.resolved.enable = lib.mkForce false;
-
-  # Unbound provides DNS resolution to local applications on 127.0.0.1. It
-  # enables caching and DNSSEC validation by default. We configure it to only,
-  # and always, use dns.caspervk.net over TLS.
-  # By the way, it's surprisingly hard to get the system to always follow the
-  # custom DNS servers rather than the DHCP-provided ones. Check the traffic
-  # with: sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)'
-  # https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html
-  services.unbound = {
+  # systemd-resolved provides DNS resolution to local applications through
+  # D-Bus, NSS, and a local stub resolver on 127.0.0.53. It implements caching
+  # and DNSSEC validation. We configure it to only, and always, use
+  # dns.caspervk.net over TLS. By the way, it's surprisingly hard to get the
+  # system to always follow the custom DNS servers rather than the
+  # DHCP-provided ones. Check the traffic with:
+  # sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)'
+  # https://nixos.wiki/wiki/Encrypted_DNS
+  # https://nixos.wiki/wiki/Systemd-resolved
+  services.resolved = {
     enable = true;
-    settings = {
-      server = {
-        interface = ["127.0.0.1"];
-      };
-      forward-zone = [
-        {
-          name = ".";
-          forward-addr = [
-            "159.69.4.2#dns.caspervk.net"
-            "2a01:4f8:1c0c:70d1::1#dns.caspervk.net"
-          ];
-          forward-tls-upstream = "yes";
-        }
-      ];
-    };
+    dnssec = "true";
+    # Resolved falls back to DNS servers operated by American internet
+    # surveillance and adtech companies by default. No thanks, I'd rather have
+    # no DNS at all.
+    fallbackDns = ["159.69.4.2#dns.caspervk.net" "2a01:4f8:1c0c:70d1::1#dns.caspervk.net"];
+    extraConfig = ''
+      DNS=159.69.4.2#dns.caspervk.net 2a01:4f8:1c0c:70d1::1#dns.caspervk.net
+      DNSOverTLS=yes
+    '';
   };
 
   # TCP BBR has significantly increased throughput and reduced latency. Note