diff --git a/modules/services/edns/default.nix b/modules/services/edns/default.nix
new file mode 100644
index 0000000..11e7114
--- /dev/null
+++ b/modules/services/edns/default.nix
@@ -0,0 +1,48 @@
+{ pkgs, config, lib, ... }:
+
+with lib;
+let
+  cfg = config.nki.services.edns;
+in
+{
+  options.nki.services.edns = {
+    enable = mkEnableOption "Enable encrypted DNS";
+    ipv6 = mkEnableOption "Enable ipv6";
+  };
+
+  config = mkIf cfg.enable {
+    networking.nameservers = [ "127.0.0.1" "::1" ];
+    networking.resolvconf.enable = mkOverride 1000 false;
+    networking.dhcpcd.extraConfig = "nohook resolv.conf";
+    networking.networkmanager.dns = "none";
+
+    services.dnscrypt-proxy2 = {
+      enable = true;
+
+      settings = {
+        server_names = [ ]; # Pick a server yourself
+
+        # Filters
+        ipv6_servers = cfg.ipv6;
+        require_dnssec = true;
+        require_nofilter = true;
+        skip_incompatible = true;
+
+        # Sources
+        sources.public_resolvers = {
+          urls = [ "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" ];
+          cache_file = "/var/lib/dnscrypt-proxy/public_resolvers.md";
+          minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+        };
+
+        # Making things go fast
+        block_ipv6 = !cfg.ipv6;
+
+        # Anonymized DNS
+        anonymized_dns.routes = [
+          { server_name = "*"; via = [ "anon-plan9-dns" "anon-v.dnscrypt.up-ipv4" ]; }
+        ];
+      };
+    };
+  };
+}
diff --git a/nki-home/configuration.nix b/nki-home/configuration.nix
index 5909ed2..5c60fe4 100644
--- a/nki-home/configuration.nix
+++ b/nki-home/configuration.nix
@@ -13,6 +13,8 @@
       ./secrets
       # Fonts
       ../modules/personal/fonts
+      # Encrypted DNS
+      ../modules/services/edns
     ];
 
   # Set kernel version to latest
@@ -57,7 +59,7 @@
   # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
 
   nix = {
-    package = pkgs.nixUnstable;
+    package = pkgs.nixFlakes;
     extraOptions = ''
       experimental-features = nix-command flakes
     '';
@@ -166,6 +168,8 @@
 
   # List services that you want to enable:
   services.gnome.gnome-keyring.enable = true;
+  nki.services.edns.enable = true;
+  nki.services.edns.ipv6 = true;
 
   # Enable the OpenSSH daemon.
   services.openssh.enable = true;