diff --git a/nix/os/devices/sj-srv1/system.nix b/nix/os/devices/sj-srv1/system.nix
index d8c2797..978ce76 100644
--- a/nix/os/devices/sj-srv1/system.nix
+++ b/nix/os/devices/sj-srv1/system.nix
@@ -11,6 +11,23 @@
 in {
   imports = [
     ../../snippets/systemd-resolved.nix
+    {
+      # make sure it uses the DNS that comes in via DHCP
+      networking.nameservers = lib.mkForce [];
+      services.resolved.enable = true;
+
+      # provide DNS to the containers
+      services.resolved.extraConfig = ''
+        DNSStubListenerExtra=${hostBridgeAddress}
+      '';
+      networking.firewall.interfaces.br0.allowedTCPPorts = [53];
+      networking.firewall.interfaces.br0.allowedUDPPorts = [53];
+    }
+  ];
+
+  programs.wireshark.enable = true;
+  environment.systemPackages = [
+    pkgs.dnsutils
   ];
 
   networking.firewall.enable = true;
@@ -83,6 +100,9 @@ in {
     enable = true;
     matchConfig.Name = "dmz0";
     DHCP = "yes";
+
+    dhcpV4Config.UseDNS = true;
+    dhcpV6Config.UseDNS = true;
   };
 
   boot.kernel.sysctl = {
@@ -134,6 +154,7 @@ in {
     mailserver = import ../../containers/mailserver.nix {
       specialArgs = {
         inherit repoFlake nodeFlake;
+        hostAddress = hostBridgeAddress;
       };
 
       autoStart = true;
@@ -151,6 +172,7 @@ in {
       {
         specialArgs = {
           inherit repoFlake nodeFlake;
+          hostAddress = hostBridgeAddress;
         };
 
         autoStart = true;
@@ -167,6 +189,7 @@ in {
     syncthing = import ../../containers/syncthing.nix {
       specialArgs = {
         inherit repoFlake nodeFlake;
+        hostAddress = hostBridgeAddress;
       };
       autoStart = true;
 
diff --git a/nix/os/profiles/containers/configuration.nix b/nix/os/profiles/containers/configuration.nix
index 84f749a..28ebb64 100644
--- a/nix/os/profiles/containers/configuration.nix
+++ b/nix/os/profiles/containers/configuration.nix
@@ -1,16 +1,29 @@
-{pkgs, ...}: {
+{
+  hostAddress,
+  pkgs,
+  lib,
+  ...
+}: {
   networking.useHostResolvConf = false;
 
   networking.firewall.enable = true;
   networking.nftables.enable = true;
   networking.nftables.flushRuleset = true;
 
+  networking.nameservers = lib.mkForce [hostAddress];
+
   environment.systemPackages = [
     pkgs.dnsutils
   ];
 
   imports = [
-    ../../snippets/systemd-resolved.nix
+    {
+      # keep DNS set up to a minimum: only query the container host
+      services.resolved.enable = lib.mkForce false;
+      networking.nameservers = [
+        hostAddress
+      ];
+    }
     ../../snippets/nix-settings.nix
     # ../../modules/ddclient-ovh.nix
     # ../../modules/ddclient-hetzner.nix
diff --git a/nix/os/snippets/systemd-resolved.nix b/nix/os/snippets/systemd-resolved.nix
index 8ade1e2..1995545 100644
--- a/nix/os/snippets/systemd-resolved.nix
+++ b/nix/os/snippets/systemd-resolved.nix
@@ -1,4 +1,4 @@
-{
+{lib, ...}: {
   networking.nameservers = [
     # https://dnsforge.de/
     "176.9.93.198"
@@ -16,5 +16,7 @@
 
     # TODO: figure out why "true" doesn't work
     dnsovertls = "opportunistic";
+
+    fallbackDns = lib.mkForce [];
   };
 }