diff --git a/hosts/tatos/services/dns.nix b/hosts/tatos/services/dns.nix
new file mode 100644
index 0000000..e2c19ef
--- /dev/null
+++ b/hosts/tatos/services/dns.nix
@@ -0,0 +1,28 @@
+{ lib, ... }:
+
+let dnsport = 53; in
+{
+  services.dnscrypt-proxy2.settings.listen_addresses = [ "[::1]:51" ];
+
+  # Forward loopback traffic on port 53 to dnscrypt-proxy2.
+  networking.firewall.extraCommands = ''
+    ip6tables --table nat --flush OUTPUT
+    ${lib.flip (lib.concatMapStringsSep "\n") [ "udp" "tcp" ] (proto: ''
+      ip6tables --table nat --append OUTPUT \
+        --protocol ${proto} --destination ::1 --destination-port 53 \
+        --jump REDIRECT --to-ports 51
+    '')}
+  '';
+
+  networking.firewall = {
+    allowedTCPPorts = [ dnsport ];
+    allowedUDPPorts = [ dnsport ];
+  };
+
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      interface = "wg0";
+    };
+  };
+};
diff --git a/hosts/tatos/services/wireguard/default.nix b/hosts/tatos/services/wireguard/default.nix
index cb33cd3..3d54ab4 100644
--- a/hosts/tatos/services/wireguard/default.nix
+++ b/hosts/tatos/services/wireguard/default.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 
 # Source: https://habr.com/ru/companies/xakep/articles/699000/
 
@@ -9,8 +9,6 @@ let
   port = tatosData.wireguard.port;
 
   update_ru_routes = pkgs.callPackage ./update_ru_routes.nix { };
-
-  dnsport = 53;
 in
 {
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
@@ -23,18 +21,6 @@ in
     internalInterfaces = [ "wg0" ];
   };
 
-  networking.firewall = {
-    allowedTCPPorts = [ dnsport ];
-    allowedUDPPorts = [ dnsport port ];
-  };
-
-  services.dnsmasq = {
-    enable = true;
-    settings = {
-      interface = "wg0";
-    };
-  };
-
   environment.systemPackages = [ update_ru_routes ];
 
   networking.wg-quick.interfaces = {