diff --git a/hosts/gatekeeper/configuration.nix b/hosts/gatekeeper/configuration.nix
index ed30b6d..718cda2 100644
--- a/hosts/gatekeeper/configuration.nix
+++ b/hosts/gatekeeper/configuration.nix
@@ -131,6 +131,7 @@
 
   clerie.nginx-port-forward = {
     enable = true;
+    resolver = "127.0.0.53";
     tcpPorts."443" = {
       host = "localhost";
       port = 22;
diff --git a/hosts/porter/configuration.nix b/hosts/porter/configuration.nix
index 2c873a4..fa7da12 100644
--- a/hosts/porter/configuration.nix
+++ b/hosts/porter/configuration.nix
@@ -28,8 +28,19 @@
 
   profiles.clerie.common-webserver.httpDefaultVirtualHost = false;
 
+  services.unbound = {
+    enable = true;
+    resolveLocalQueries = false;
+    settings = {
+      server = {
+        interface = [ "127.0.0.1" ];
+      };
+    };
+  };
+
   clerie.nginx-port-forward = {
     enable = true;
+    resolver = "127.0.0.1";
     tcpPorts."80" = {
       host = "baikonur.dyn.weimarnetz.de";
       port = 80;
diff --git a/modules/nginx-port-forward/default.nix b/modules/nginx-port-forward/default.nix
index 7d6e2f3..64e1464 100644
--- a/modules/nginx-port-forward/default.nix
+++ b/modules/nginx-port-forward/default.nix
@@ -9,7 +9,7 @@ let
 
   mkServerBlock = isUDP: port: forward: ''
     server {
-      resolver 127.0.0.53 ipv4=off valid=30s;
+      resolver ${cfg.resolver} ipv4=off valid=30s;
 
       listen ${port}${optionalString isUDP " udp"}${optionalString (forward.certName != null) " ssl"};
       listen [::]:${port}${optionalString isUDP " udp"}${optionalString (forward.certName != null) " ssl"};
@@ -54,6 +54,10 @@ in
   options = {
     clerie.nginx-port-forward = {
       enable = mkEnableOption "Nginx Port Forward";
+      resolver = mkOption {
+        type = types.str;
+        description = "IP address of the resolver to use for upstream hostnames";
+      };
       tcpPorts = mkOption {
         type = with types; attrsOf (submodule portOpts);
         default = {};