diff --git a/hosts/xlab-gateway/networking.nix b/hosts/xlab-gateway/networking.nix
index 3aad638..eb24c27 100644
--- a/hosts/xlab-gateway/networking.nix
+++ b/hosts/xlab-gateway/networking.nix
@@ -293,7 +293,11 @@
           "ntp1.aliyun.com"
           "ntp.ntsc.ac.cn"
         ];
-        DNS = [ "166.111.8.28" "166.111.8.29" ];
+        # Don't set link-specific DNS on the WAN. Tsinghua's resolvers
+        # (166.111.8.28/29) are subject to GFW DNS poisoning, and link-DNS
+        # would override the global services.resolved policy. Global DNS
+        # (10.0.0.1 → mosdns) handles CN routing internally; resolved's
+        # fallbackDns covers the case when 10.0.0.1 is unreachable.
         DHCP = "yes";
       };
       dhcpV4Config = {
@@ -349,6 +353,21 @@
   };
 
   # ===========================================================================
+  # DNS RESOLUTION
+  # ===========================================================================
+  # Route DNS through the network's local mosdns at 10.0.0.1 so this host
+  # inherits CN-aware split routing and the analytics blocking policy.
+  # Cloudflare is retained as fallback in case 10.0.0.1 is unreachable
+  # (bootstrap, maintenance, or partial outage).
+  services.resolved = {
+    enable = true;
+    fallbackDns = [ "1.1.1.1" "2606:4700:4700::1111" ];
+    extraConfig = ''
+      DNS=10.0.0.1
+    '';
+  };
+
+  # ===========================================================================
   # AGENIX SECRETS
   # ===========================================================================
   age.secrets = {