diff --git a/src/system/machines/desktop/system.nix b/src/system/machines/desktop/system.nix
index e09b06b..ba97169 100644
--- a/src/system/machines/desktop/system.nix
+++ b/src/system/machines/desktop/system.nix
@@ -94,20 +94,7 @@ in
       enable = true;
       allowedTCPPorts = [ 22 80 443 ];
     };
-    nameservers = [ "127.0.0.1" ];
-  };
-
-  services.dnsmasq = {
-    enable = true;
-    settings = {
-      # Only specific subdomains go to local server
-      address = [
-        "/git.ramos.codes/192.168.0.154"
-        "/frigate.ramos.codes/192.168.0.154"
-        "/test.ramos.codes/192.168.0.154"
-      ];
-      server = [ "1.1.1.1" "8.8.8.8" ];
-    };
+    nameservers = [ "192.168.0.154" ];
   };
 
   services = {
diff --git a/src/system/machines/server/system.nix b/src/system/machines/server/system.nix
index 36a4503..da10a7a 100644
--- a/src/system/machines/server/system.nix
+++ b/src/system/machines/server/system.nix
@@ -109,6 +109,23 @@
     };
   };
 
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      # All *.ramos.codes subdomains -> local server
+      address = "/.ramos.codes/192.168.0.154";
+      # Except www -> forward to upstream
+      server = [
+        "/www.ramos.codes/1.1.1.1"
+        "1.1.1.1"
+        "8.8.8.8"
+      ];
+      cache-size = 1000;
+    };
+  };
+
+  networking.firewall.allowedUDPPorts = [ 53 ];
+
   services.fail2ban = {
     enable = true;
     maxretry = 5;