diff --git a/modules/services/trust-dns/default.nix b/modules/services/trust-dns/default.nix
index 01b8e885..97794da0 100644
--- a/modules/services/trust-dns/default.nix
+++ b/modules/services/trust-dns/default.nix
@@ -96,7 +96,13 @@ let
       } // extraConfig
     );
     configPath = "/var/lib/trust-dns/${flavor}-config.toml";
-    sedArgs = lib.mapAttrsToList (key: value: ''-e "s/${key}/${value}/g"'') substitutions;
+    sedArgs = builtins.map (key: ''-e "s/${key}/${substitutions."${key}"}/g"'') (
+      # HACK: %ANATIVE% often expands to one of the other subtitutions (e.g. %AWAN%)
+      # so we must expand it *first*.
+      lib.sortOn
+        (k: if k == "%ANATIVE%" then 0 else 1)
+        (builtins.attrNames substitutions)
+    );
     subs = lib.concatStringsSep " " sedArgs;
   in {
     description = "trust-dns Domain Name Server (serving ${flavor})";