diff --git a/modules/nixos/networking/underlay.nix b/modules/nixos/networking/underlay.nix
index 20f9efa..1c928ae 100644
--- a/modules/nixos/networking/underlay.nix
+++ b/modules/nixos/networking/underlay.nix
@@ -56,6 +56,11 @@ in
             Gateway = cfg.gateway;
             GatewayOnLink = true;
           };
+          dns = lib.mkIf (!cfg.useDhcp) [
+            "1.1.1.1#cloudflare-dns.com"
+            "8.8.8.8#dns.google"
+            "9.9.9.9#dns.quad9.net"
+          ];
         };
       };
 
diff --git a/modules/nixos/services/nameservers/recursive.nix b/modules/nixos/services/nameservers/recursive.nix
index 914e12b..dd807a0 100644
--- a/modules/nixos/services/nameservers/recursive.nix
+++ b/modules/nixos/services/nameservers/recursive.nix
@@ -31,7 +31,6 @@ in
             settings.server = {
               interface = [ "${netCfg.overlay.address}@${toString cfg.port}" ];
               access-control = [ "${toString netCfg.overlay.networkCidr} allow" ];
-              prefetch = true;
             };
           };
 
diff --git a/modules/nixos/services/nebula/default.nix b/modules/nixos/services/nebula/default.nix
index 2fa908f..45e2a7c 100644
--- a/modules/nixos/services/nebula/default.nix
+++ b/modules/nixos/services/nebula/default.nix
@@ -133,6 +133,7 @@ in
         address = [ netCfg.overlay.cidr ];
         dns = netCfg.overlay.dnsServers;
         domains = [ netCfg.overlay.domain ];
+        networkConfig.DNSSEC = false;
       };
     };
   };