diff --git a/hosts/pinwheel/configuration.nix b/hosts/pinwheel/configuration.nix
index 0bcb8ba..7e2f6ed 100644
--- a/hosts/pinwheel/configuration.nix
+++ b/hosts/pinwheel/configuration.nix
@@ -61,6 +61,10 @@
 
     wireless.enable = false; # Wireless is managed by networkmanager
     networkmanager.enable = true;
+    nameservers = [
+      "1.1.1.1#one.one.one.one"
+      "1.0.0.1#one.one.one.one"
+    ];
   };
 
   # Open ports in the firewall.
diff --git a/hosts/pinwheel/modules/openvpn/default.nix b/hosts/pinwheel/modules/openvpn/default.nix
index a10f43b..e4b6d79 100644
--- a/hosts/pinwheel/modules/openvpn/default.nix
+++ b/hosts/pinwheel/modules/openvpn/default.nix
@@ -5,7 +5,7 @@ in
 {
   options = {
     mod.openvpn = {
-      enable = lib.mkEnableOption "add openvpn related packages";
+      enable = lib.mkEnableOption "enable openpn module";
     };
   };
 
@@ -17,6 +17,17 @@ in
       ];
     };
 
-    services.resolved.enable = true;
+    services.resolved = {
+      enable = true;
+      dnssec = "true";
+      domains = [ "~." ];
+      fallbackDns = [
+        "1.1.1.1#one.one.one.one"
+        "1.0.0.1#one.one.one.one"
+      ];
+      extraConfig = ''
+        DNSOverTLS=yes
+      '';
+    };
   };
 }