diff --git a/modules/my-tinc/hosts.nix b/modules/my-tinc/hosts.nix
index da75547..58f375b 100644
--- a/modules/my-tinc/hosts.nix
+++ b/modules/my-tinc/hosts.nix
@@ -23,10 +23,13 @@ in
       hosts;
 
     # Add all of them to host
-    networking.extraHosts = lib.strings.concatStringsSep
-      "\n"
-      (lib.attrsets.mapAttrsToList
-        (name: host: "${host.subnetAddr} ${name}.tinc")
-        hosts);
+    nki.services.edns = {
+      enable = true;
+      cloaking-rules =
+        (lib.attrsets.mapAttrs'
+          (name: host: { name = "${name}.tinc"; value = host.subnetAddr; })
+          hosts)
+      ;
+    };
   };
 }
diff --git a/modules/services/edns/default.nix b/modules/services/edns/default.nix
index e713903..c668093 100644
--- a/modules/services/edns/default.nix
+++ b/modules/services/edns/default.nix
@@ -8,6 +8,11 @@ in
   options.nki.services.edns = {
     enable = mkEnableOption "Enable encrypted DNS";
     ipv6 = mkEnableOption "Enable ipv6";
+    cloaking-rules = mkOption {
+      type = types.attrsOf types.str;
+      default = { };
+      description = "A set of domain -> ip mapping for cloaking_rules";
+    };
   };
 
   config = mkIf cfg.enable {
@@ -42,6 +47,11 @@ in
           { server_name = "*"; via = [ "anon-plan9-dns" "anon-v.dnscrypt.up-ipv4" ]; }
         ];
         anonymized_dns.skip_incompatible = true;
+
+        # Cloaking rules
+        cloaking_rules = pkgs.writeText "cloaking_rules.txt" (lib.strings.concatStringsSep
+          "\n"
+          (lib.attrsets.mapAttrsToList (name: ip: "${name} ${ip}") cfg.cloaking-rules));
       };
     };
   };