diff --git a/modules/wireguard/home.nix b/modules/wireguard/home.nix
index 01eb8b1..8555eeb 100644
--- a/modules/wireguard/home.nix
+++ b/modules/wireguard/home.nix
@@ -1,4 +1,4 @@
-{ lib, config, ... }:
+{ lib, config, pkgs, ... }:
 let
   serverHostName = "vueko";
   peers = {
@@ -72,11 +72,41 @@ in
 
     networking.firewall = {
       trustedInterfaces = [ "wg-home" ];
-      allowedUDPPorts = lib.optional enableServer 51820;
+      allowedUDPPorts = lib.optionals enableServer [
+        51820
+        53
+      ];
     };
 
     boot.kernel.sysctl = lib.optionalAttrs enableServer {
       "net.ipv4.ip_forward" = 1;
     };
+
+    services.bind = lib.mkIf enableServer {
+      enable = true;
+      zones = lib.singleton {
+        name = "vpn.sbruder.de";
+        file =
+          let
+            # !!! very hacky
+            hexStringToInt = hex: (builtins.fromTOML "int = 0x${hex}").int;
+
+            peerRecords = lib.concatStrings
+              (lib.mapAttrsToList
+                (peer: peerConfig: ''
+                  ${peer} IN A ${peerConfig.address}
+                '')
+                peers);
+
+            peerRecordsHash = builtins.hashString "sha256" peerRecords;
+            serial = hexStringToInt (lib.substring 0 8 peerRecordsHash);
+          in
+          pkgs.writeText "vpn.sbruder.de.zone" (''
+            $TTL 3600
+            @ IN SOA ${serverHostName}.sbruder.de. hostmaster.sbruder.de. ${toString serial} 28800 3600 604800 3600
+            @ IN NS ${serverHostName}.sbruder.de.
+          '' + peerRecords);
+      };
+    };
   };
 }