diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 65dc6b6e9..3e2e325d8 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -10,6 +10,7 @@ in {
     ./copyq.nix
     ./xresources.nix
     ./livestream.nix
+    ./dns-stuff.nix
     {
       hardware.pulseaudio = {
         enable = true;
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index ffed5bb70..d7deb3165 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -63,15 +63,6 @@ with import <stockholm/lib>;
         pkgs.pythonPackages.python
       ];
     }
-    {
-      services.dnscrypt-proxy = {
-        enable = true;
-        resolverName = "cs-de";
-      };
-      networking.extraResolvconfConf = ''
-        name_servers='127.0.0.1'
-      '';
-    }
   ];
 
   networking.hostName = config.krebs.build.host.name;
diff --git a/lass/2configs/dns-stuff.nix b/lass/2configs/dns-stuff.nix
new file mode 100644
index 000000000..b52d3050b
--- /dev/null
+++ b/lass/2configs/dns-stuff.nix
@@ -0,0 +1,31 @@
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
+{
+  services.dnscrypt-proxy = {
+    enable = true;
+    localAddress = "127.1.0.1";
+    resolverName = "cs-de";
+  };
+  services.dnsmasq = {
+    enable = true;
+    extraConfig = ''
+      server=127.1.0.1
+      server=/dn42/172.23.75.6
+      #no-resolv
+      cache-size=1000
+      min-cache-ttl=3600
+      bind-dynamic
+      all-servers
+      dnssec
+      trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
+      address=/blog/127.0.0.1
+      address=/blog/::1
+      rebind-domain-ok=/onion/
+      server=/.onion/127.0.0.1#9053
+      port=53
+    '';
+  };
+  networking.extraResolvconfConf = ''
+    name_servers='127.0.0.1'
+  '';
+}