diff --git a/flake.lock b/flake.lock
index c90d9c8..7b2733e 100644
--- a/flake.lock
+++ b/flake.lock
@@ -281,11 +281,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1710040110,
-        "narHash": "sha256-PNAV8VdZkNoSGQHGQWDefNarl0BtKjVMCCzu16+vsr4=",
+        "lastModified": 1710120787,
+        "narHash": "sha256-tlLuB73OCOKtU2j83bQzSYFyzjJo3rjpITZE5MoofG8=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "851fcfd130597c5c91071d46275111522d4fd595",
+        "rev": "e76ff2df6bfd2abe06abd8e7b9f217df941c1b07",
         "type": "github"
       },
       "original": {
diff --git a/hosts/falkenstein/modules/dns/default.nix b/hosts/falkenstein/modules/dns/default.nix
index 94365e0..8d07f86 100644
--- a/hosts/falkenstein/modules/dns/default.nix
+++ b/hosts/falkenstein/modules/dns/default.nix
@@ -6,7 +6,7 @@ let
     $ORIGIN rfive.de.
 
     rfive.de.   86400  IN  SOA ns.rfive.de. hostmaster.rfive.de. (
-      2024031013 ; serial
+      2024031014 ; serial
       10800      ; refresh
       3600       ; retry
       604800     ; expire
@@ -59,6 +59,16 @@ in
   services.bind = rec {
     enable = true;
     directory = "/var/lib/bind";
+    extraConfig = ''
+      dnssec-policy "split-keys" {
+        keys {
+          ksk lifetime unlimited algorithm ecdsap256sha256;
+          zsk lifetime 60d algorithm ecdsap256sha256;
+        };
+        publish-safety 1d;
+        retire-safety 1d;
+      };
+    '';
     zones = {
       "rfive.de" = {
         master = true;
@@ -67,7 +77,7 @@ in
         ];
         extraConfig = ''
           also-notify {${secondary};};
-          dnssec-policy default;
+          dnssec-policy split-keys;
           inline-signing yes;
           serial-update-method date;
         '';
@@ -83,4 +93,5 @@ in
     ip saddr ${secondary}/32 tcp dport 53 accept comment "Allow DNS AXFR access from INWX Servers"
     ip saddr ${secondary}/32 udp dport 53 accept comment "Allow DNS access from INWX Servers"
   '';
+  environment.systemPackages = with pkgs; [ dig.out ];
 }
diff --git a/hosts/nuc/default.nix b/hosts/nuc/default.nix
index 7415d60..624fd75 100644
--- a/hosts/nuc/default.nix
+++ b/hosts/nuc/default.nix
@@ -5,6 +5,7 @@
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
       ./modules/networks
+      ./modules/adguard
       ./modules/backup
       ./modules/cache
       ./modules/matrix
diff --git a/hosts/nuc/modules/adguard/default.nix b/hosts/nuc/modules/adguard/default.nix
new file mode 100644
index 0000000..c1c3af7
--- /dev/null
+++ b/hosts/nuc/modules/adguard/default.nix
@@ -0,0 +1,10 @@
+{ ... }:
+{
+  networking.firewall.allowedTCPPorts = [ 53 ];
+  networking.firewall.allowedUDPPorts = [ 53 ];
+  services.adguardhome = {
+    enable = true;
+    openFirewall = true;
+    settings.bind_port = 3000;
+  };
+}
diff --git a/hosts/nuc/modules/networks/default.nix b/hosts/nuc/modules/networks/default.nix
index d985cf5..7a1b8ba 100644
--- a/hosts/nuc/modules/networks/default.nix
+++ b/hosts/nuc/modules/networks/default.nix
@@ -21,12 +21,10 @@
       "2620:fe::fe"
       "2620:fe::9"
     ];
-    # make room for the adguard dns
-    # extraConfig = ''
-    #   [Resolve]
-    #   DNS=127.0.0.1
-    #   DNSStubListener=no
-    # '';
+    extraConfig = ''
+      [Resolve]
+      DNSStubListener=no
+    '';
   };
   systemd.network = {
     enable = true;