diff --git a/hosts/skydick/default.nix b/hosts/skydick/default.nix
index 92d9be1..324c62e 100644
--- a/hosts/skydick/default.nix
+++ b/hosts/skydick/default.nix
@@ -97,7 +97,12 @@
     nameservers = [ "10.0.0.1" ];
 
     # Prefer IPv4 for outbound connections — IPv6 goes through wg-outbound
-    # on 10.0.0.1 which masquerades with ULA (not globally routable)
+    # on 10.0.0.1 which masquerades with ULA (not globally routable).
+    # `enableIPv6 = false` alone doesn't stop the kernel from processing
+    # router advertisements on bond0 — the gateway's radvd was leaking
+    # an IPv6 link-DNS (fd99:23eb:1682::1) into systemd-resolved, which
+    # then took precedence for AAAA queries and broke clean NXDOMAIN.
+    # Explicitly drop RAs on bond0.
     enableIPv6 = false;
 
     firewall = {
@@ -159,6 +164,13 @@
   };
 
   boot.kernel.sysctl = {
+    # IPv6 RA suppression — see networking.enableIPv6 = false. Without
+    # these, the gateway's radvd kept seeding fd99:23eb:1682::1 as a
+    # link-DNS on bond0, breaking clean NXDOMAIN for AAAA queries.
+    "net.ipv6.conf.all.accept_ra" = 0;
+    "net.ipv6.conf.default.accept_ra" = 0;
+    "net.ipv6.conf.bond0.accept_ra" = 0;
+
     # Network buffers for high-throughput storage
     "net.core.rmem_max" = 134217728;
     "net.core.wmem_max" = 134217728;