diff --git a/src/system/modules/nginx/default.nix b/src/system/modules/nginx/default.nix
index 428f922..35d88d1 100644
--- a/src/system/modules/nginx/default.nix
+++ b/src/system/modules/nginx/default.nix
@@ -35,6 +35,16 @@ in
       recommendedGzipSettings = true;
       eventsConfig = "worker_connections 4096;";
 
+      # Catch-all default - reject unknown hosts instead of falling back
+      virtualHosts."_" = {
+        default = true;
+        useACMEHost = domain;
+        forceSSL = true;
+        locations."/" = {
+          return = "444";  # Close connection without response
+        };
+      };
+
       virtualHosts."test.${domain}" = {
         useACMEHost = domain;
         forceSSL = true;