diff --git a/hosts/by-name/servo/services/trust-dns.nix b/hosts/by-name/servo/services/trust-dns.nix
index 34270f72..2d007ffb 100644
--- a/hosts/by-name/servo/services/trust-dns.nix
+++ b/hosts/by-name/servo/services/trust-dns.nix
@@ -39,6 +39,7 @@ in
     CNAME."native" = "%CNAMENATIVE%";
     A."@" =      "%ANATIVE%";
     A."servo.wan" = "%AWAN%";
+    A."servo.doof" = "%ADOOF%";
     A."servo.lan" = config.sane.hosts.by-name."servo".lan-ip;
     A."servo.hn" = config.sane.hosts.by-name."servo".wg-home.ip;
 
@@ -87,31 +88,34 @@ in
   sane.services.trust-dns.enable = true;
   sane.services.trust-dns.instances = let
     mkSubstitutions = flavor: {
+      "%ADOOF%" = config.sane.netns.doof.netnsPubIpv4;
+      "%ANATIVE%" = nativeAddrs."servo.${flavor}";
+      "%AOVPNS%" = config.sane.netns.ovpns.netnsPubIpv4;
       "%AWAN%" = "$(cat '${dyn-dns.ipPath}')";
       "%CNAMENATIVE%" = "servo.${flavor}";
-      "%ANATIVE%" = nativeAddrs."servo.${flavor}";
-      "%ADOOF%" = config.sane.netns.doof.netnsPubIpv4;
-      "%AOVPNS%" = config.sane.netns.ovpns.netnsPubIpv4;
     };
   in
   {
-    wan = {
-      substitutions = mkSubstitutions "wan";
-      listenAddrsIpv4 = [
-        nativeAddrs."servo.lan"
-        config.sane.netns.ovpns.hostVethIpv4
-        config.sane.netns.doof.hostVethIpv4
-      ];
+    doof = {
+      substitutions = mkSubstitutions "doof";
+      listenAddrsIpv4 = [ config.sane.netns.doof.hostVethIpv4 ];
+    };
+    hn = {
+      substitutions = mkSubstitutions "hn";
+      listenAddrsIpv4 = [ nativeAddrs."servo.hn" ];
+      port = 1053;
     };
     lan = {
       substitutions = mkSubstitutions "lan";
       listenAddrsIpv4 = [ nativeAddrs."servo.lan" ];
       port = 1053;
     };
-    hn = {
-      substitutions = mkSubstitutions "hn";
-      listenAddrsIpv4 = [ nativeAddrs."servo.hn" ];
-      port = 1053;
+    wan = {
+      substitutions = mkSubstitutions "wan";
+      listenAddrsIpv4 = [
+        nativeAddrs."servo.lan"
+        config.sane.netns.ovpns.hostVethIpv4
+      ];
     };
     # hn-resolver = {
     #   # don't need %AWAN% here because we forward to the hn instance.
@@ -153,9 +157,10 @@ in
   };
 
   sane.services.dyn-dns.restartOnChange = [
-    "trust-dns-wan.service"
-    "trust-dns-lan.service"
+    "trust-dns-doof.service"
     "trust-dns-hn.service"
+    "trust-dns-lan.service"
+    "trust-dns-wan.service"
     # "trust-dns-hn-resolver.service"  # doesn't need restart because it doesn't know about WAN IP
   ];
 }