diff --git a/hosts/skydick/default.nix b/hosts/skydick/default.nix
index 0e91e0b..92d9be1 100644
--- a/hosts/skydick/default.nix
+++ b/hosts/skydick/default.nix
@@ -92,7 +92,9 @@
       address = "10.0.0.1";
       interface = "bond0";
     };
-    nameservers = [ "10.0.0.1" "223.5.5.5" ];
+    # Single primary so systemd-resolved doesn't load-balance us off to a
+    # resolver that has no analytics-blocking. Fallback handled below.
+    nameservers = [ "10.0.0.1" ];
 
     # Prefer IPv4 for outbound connections — IPv6 goes through wg-outbound
     # on 10.0.0.1 which masquerades with ULA (not globally routable)
@@ -104,6 +106,14 @@
     };
   };
 
+  # DNS routed through the network's mosdns at 10.0.0.1 so this host inherits
+  # CN-aware split routing and analytics blocking. AliDNS is the first
+  # fallback (close, clean, no GFW games), Cloudflare second.
+  services.resolved = {
+    enable = true;
+    fallbackDns = [ "223.5.5.5" "1.1.1.1" ];
+  };
+
   # Wait only for bond0, not individual member ports — a disconnected port
   # (cable maintenance) should not stall boot by 2 minutes.
   systemd.network.wait-online.anyInterface = true;