diff --git a/modules/system/services/dns.nix b/modules/system/services/dns.nix
index 5847a97..f3226b5 100644
--- a/modules/system/services/dns.nix
+++ b/modules/system/services/dns.nix
@@ -16,29 +16,41 @@ in
       unbound = {
         enable = true;
 
-        settings.server = {
-          interface = [ netCfg.overlay.interface ];
-          access-control = [ "${toString netCfg.overlay.networkCidr} allow" ];
+        settings = {
+          server = {
+            interface = [ netCfg.overlay.interface ];
+            access-control = [
+              "${toString netCfg.overlay.networkCidr} allow"
+            ];
 
-          local-zone = "\"${netCfg.overlay.domain}.\" static";
-          local-data =
-            let
-              nodeRecords =
-                netCfg.nodes
-                |> lib.map (node: "\"${node.hostName}.${node.overlay.domain}. A ${node.overlay.address}\"");
-              serviceRecords =
-                self.nixosConfigurations
-                |> lib.attrValues
-                |> lib.concatMap (
-                  host:
-                  host.config.custom.services.caddy.virtualHosts
+            local-zone = "\"${netCfg.overlay.domain}.\" static";
+            local-data =
+              let
+                nodeRecords =
+                  netCfg.nodes
+                  |> lib.map (node: "\"${node.hostName}.${node.overlay.domain}. A ${node.overlay.address}\"");
+                serviceRecords =
+                  self.nixosConfigurations
                   |> lib.attrValues
-                  |> lib.map (vHost: vHost.domain)
-                  |> lib.filter (domain: self.lib.isPrivateDomain domain)
-                  |> lib.map (domain: "\"${domain}. A ${host.config.custom.networking.overlay.address}\"")
-                );
-            in
-            nodeRecords ++ serviceRecords;
+                  |> lib.concatMap (
+                    host:
+                    host.config.custom.services.caddy.virtualHosts
+                    |> lib.attrValues
+                    |> lib.map (vHost: vHost.domain)
+                    |> lib.filter (domain: self.lib.isPrivateDomain domain)
+                    |> lib.map (domain: "\"${domain}. A ${host.config.custom.networking.overlay.address}\"")
+                  );
+              in
+              nodeRecords ++ serviceRecords;
+          };
+
+          forward-zone = lib.singleton {
+            name = ".";
+            forward-addr = [
+              "1.1.1.1"
+              "8.8.8.8"
+            ];
+          };
         };
       };
 
diff --git a/modules/system/services/nebula/default.nix b/modules/system/services/nebula/default.nix
index 231ee15..aa5b039 100644
--- a/modules/system/services/nebula/default.nix
+++ b/modules/system/services/nebula/default.nix
@@ -108,10 +108,7 @@ in
       matchConfig.Name = netCfg.overlay.interface;
       address = [ netCfg.overlay.cidr ];
       dns = netCfg.overlay.dnsServers;
-      domains = [
-        netCfg.overlay.domain
-        "~." # Route all DNS traffic to this interface first
-      ];
+      domains = [ netCfg.overlay.domain ];
     };
   };
 }