diff --git a/system/services/dnsmasq/default.nix b/system/services/dnsmasq/default.nix
new file mode 100644
index 0000000..df5acb3
--- /dev/null
+++ b/system/services/dnsmasq/default.nix
@@ -0,0 +1,14 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  services.dnsmasq = {
+    enable = true;
+    resolveLocalQueries = true;
+    settings = {
+      listen-address = "127.0.0.1";
+      port = 53535; # anything that’s free
+    };
+  };
+}
diff --git a/system/services/resolved/default.nix b/system/services/resolved/default.nix
index 978a2fe..3201276 100644
--- a/system/services/resolved/default.nix
+++ b/system/services/resolved/default.nix
@@ -6,6 +6,9 @@
   networking.nameservers = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"];
 
   services.resolved = {
+    extraConfig = ''
+      DNS=127.0.0.1:53535           # resolved → dnsmasq, non-standard port OK
+    '';
     enable = true;
     dnssec = "true";
     domains = ["~."];
diff --git a/system/services/services.nix b/system/services/services.nix
index d90b107..02fc57d 100644
--- a/system/services/services.nix
+++ b/system/services/services.nix
@@ -8,5 +8,6 @@
     ./tailscale/default.nix
     ./syncthing/default.nix
     ./resolved/default.nix
+    ./dnsmasq/default.nix
   ];
 }