diff --git a/modules/services/trust-dns/default.nix b/modules/services/trust-dns/default.nix
index 312510f8e..0f317d087 100644
--- a/modules/services/trust-dns/default.nix
+++ b/modules/services/trust-dns/default.nix
@@ -17,7 +17,14 @@ let
         type = types.listOf types.str;
         default = [ "127.0.0.1" ];
         description = ''
-          IP addresses to serve requests from.
+          IPv4 addresses to serve requests from.
+        '';
+      };
+      listenAddrsIpv6 = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+        description = ''
+          IPv6 addresses to serve requests from.
         '';
       };
       substitutions = mkOption {
@@ -78,13 +85,14 @@ let
     };
   });
 
-  mkSystemdService = flavor: { includes, listenAddrsIpv4, port, substitutions, extraConfig, ... }: let
+  mkSystemdService = flavor: { includes, listenAddrsIpv4, listenAddrsIpv6, port, substitutions, extraConfig, ... }: let
     sed = "${pkgs.gnused}/bin/sed";
     configTemplate = toml.generate "trust-dns-${flavor}.toml" (
       (
         lib.filterAttrsRecursive (_: v: v != null) config.services.trust-dns.settings
       ) // {
         listen_addrs_ipv4 = listenAddrsIpv4;
+        listen_addrs_ipv6 = listenAddrsIpv6;
       } // extraConfig
     );
     configPath = "/var/lib/trust-dns/${flavor}-config.toml";
@@ -212,12 +220,14 @@ in
 
     sane.services.trust-dns.instances.localhost = lib.mkIf cfg.asSystemResolver {
       listenAddrsIpv4 = [ "127.0.0.1" ];
+      listenAddrsIpv6 = [ "::1" ];
       enableRecursiveResolver = true;
       # append zones discovered via DHCP to the resolver config.
       includes = [ "/var/lib/trust-dns/dhcp-configs/*" ];
     };
     networking.nameservers = lib.mkIf cfg.asSystemResolver [
       "127.0.0.1"
+      "::1"
     ];
     services.resolved.enable = lib.mkIf cfg.asSystemResolver (lib.mkForce false);
   };