diff --git a/modules/common/dns.nix b/modules/graphical/dns.nix
similarity index 72%
rename from modules/common/dns.nix
rename to modules/graphical/dns.nix
index 934e7af..599a2d4 100644
--- a/modules/common/dns.nix
+++ b/modules/graphical/dns.nix
@@ -1,5 +1,5 @@
-{ lib, ... }:
 {
+  networking.resolvconf.useLocalResolver = true;
   services.dnsproxy = {
     enable = true;
     flags = [
@@ -14,7 +14,4 @@
       bootstrap = fallback;
     };
   };
-
-  environment.etc."resolv.conf".text = lib.mkForce "nameserver 127.0.0.1";
-  networking.resolvconf.enable = false;
 }
diff --git a/modules/server/continuwuity.nix b/modules/server/continuwuity.nix
index ef13d8d..6ebd320 100644
--- a/modules/server/continuwuity.nix
+++ b/modules/server/continuwuity.nix
@@ -59,6 +59,8 @@
             url_preview_max_spider_size = 2097152;
             max_request_size = 524288000;
             db_cache_capacity_mb = 2056;
+
+            query_over_tcp_only = true;
             dns_cache_entries = 0;
 
             allow_public_room_directory_over_federation = true;
diff --git a/modules/server/dns.nix b/modules/server/dns.nix
new file mode 100644
index 0000000..26e111b
--- /dev/null
+++ b/modules/server/dns.nix
@@ -0,0 +1,12 @@
+{
+  services.unbound = {
+    enable = true;
+    settings = {
+      server = {
+        rrset-cache-size = "64M";
+        msg-cache-size = "64M";
+        discard-timeout = 4800;
+      };
+    };
+  };
+}