diff --git a/hosts/servo/services/default.nix b/hosts/servo/services/default.nix
index f716cb1d1..08782d91e 100644
--- a/hosts/servo/services/default.nix
+++ b/hosts/servo/services/default.nix
@@ -17,5 +17,6 @@
     ./postgres.nix
     ./prosody.nix
     ./transmission.nix
+    ./trust-dns
   ];
 }
diff --git a/hosts/servo/services/trust-dns/default.nix b/hosts/servo/services/trust-dns/default.nix
new file mode 100644
index 000000000..ddd8afec0
--- /dev/null
+++ b/hosts/servo/services/trust-dns/default.nix
@@ -0,0 +1,19 @@
+{ pkgs, ... }:
+
+{
+  systemd.services.trust-dns = {
+    description = "trust-dns DNS server";
+    serviceConfig = {
+      ExecStart = ''
+        ${pkgs.trust-dns}/bin/named \
+          --config ${./uninsane.org.toml} \
+          --zonedir ${./.}
+      '';
+      Type = "simple";
+      Restart = "on-failure";
+      # TODO: hardening
+    };
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+  };
+}
diff --git a/hosts/servo/services/trust-dns/uninsane.org.toml b/hosts/servo/services/trust-dns/uninsane.org.toml
new file mode 100644
index 000000000..0893a6a97
--- /dev/null
+++ b/hosts/servo/services/trust-dns/uninsane.org.toml
@@ -0,0 +1,10 @@
+[[zones]]
+## zone: this is the ORIGIN of the zone, aka the base name, '.' is implied on the end
+zone = "uninsane.org"
+
+## zone_type: Primary, Secondary, Hint, Forward
+zone_type = "Primary"
+
+## file: this is relative to the directory above
+file = "uninsane.org.zone"
+
diff --git a/hosts/servo/services/trust-dns/uninsane.org.zone b/hosts/servo/services/trust-dns/uninsane.org.zone
new file mode 100644
index 000000000..506aa9dbf
--- /dev/null
+++ b/hosts/servo/services/trust-dns/uninsane.org.zone
@@ -0,0 +1,75 @@
+$TTL 900
+; SOA record structure: <https://en.wikipedia.org/wiki/SOA_record#Structure>
+; Serial = YYYYMMDDNN, where N is incremented every time this file changes, to trigger secondary NS to re-fetch it.
+; Refresh = how frequently secondary NS should query master
+; Retry = how long secondary NS should wait until re-querying master after a failure (must be < Refresh)
+; Expire = how long secondary NS should continue to reply to queries after master fails (> Refresh + Retry)
+@   IN          SOA     uninsane.org. admin-dns.uninsane.org. (
+                                2022120701 ; Serial
+                                4h         ; Refresh
+                                30m        ; Retry
+                                7d         ; Expire
+                                5m)        ; Negative response TTL
+
+@               A       97.126.41.123
+; XXX: RFC's specify that the MX record CANNOT BE A CNAME
+mx              A       185.157.162.178
+; TODO: we could make native a CNAME of @?
+; or just make all the `CNAME native`s `CNAME @`s?
+native          A       97.126.41.123
+ovpns           A       185.157.162.178
+
+
+; the nameserver for anything *under* or at uninsane.org is this server.
+@               NS      uninsane.org.
+@               MX      10 mx.uninsane.org.
+
+bt              CNAME   native
+fed             CNAME   native
+git             CNAME   native
+imap            CNAME   native
+ipfs            CNAME   native
+jacket          CNAME   native
+jelly           CNAME   native
+matrix          CNAME   native
+web.matrix      CNAME   native
+music           CNAME   native
+nixcache        CNAME   native
+pl-dev          CNAME   native
+rss             CNAME   native
+sink            CNAME   native
+
+xmpp            CNAME   native
+conference.xmpp CNAME   native
+pubsub.xmpp     CNAME   native
+upload.xmpp     CNAME   native
+vjid.xmpp       CNAME   native
+
+; _Service._Proto.Name TTL Class SRV Priority Weight Port Target
+_xmpp-client._tcp                SRV 0        0      5222 native
+_xmpp-server._tcp                SRV 0        0      5269 native
+
+; Sender Policy Framework:
+;   +mx     => mail passes if it originated from the MX
+;   +a      => mail passes if it originated from the A address of this domain
+;   +ip4:.. => mail passes if it originated from this IP
+;   -all    => mail fails if none of these conditions were met
+@               TXT "v=spf1 a mx -all"
+
+; DKIM public key:
+mx._domainkey   TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkSyMufc2KrRx3j17e/LyB+3eYSBRuEFT8PUka8EDX04QzCwDPdkwgnj3GNDvnB5Ktb05Cf2SJ/S1OLqNsINxJRWtkVfZd/C339KNh9wrukMKRKNELL9HLUw0bczOI4gKKFqyrRE9qm+4csCMAR79Te9FCjGV/jVnrkLdPT0GtFwIDAQAB"
+
+; DMARC fields <https://datatracker.ietf.org/doc/html/rfc7489>:
+;   p=none|quarantine|reject: what to do with failures
+;   sp = p but for subdomains
+;   rua = where to send aggregrate reports
+;   ruf = where to send individual failure reports
+;   fo=0|1|d|s  controls WHEN to send failure reports
+;     (1=on bad alignment; d=on DKIM failure; s=on SPF failure);
+; Additionally:
+;   adkim=r|s  (is DKIM relaxed [default] or strict)
+;   aspf=r|s   (is SPF relaxed [default] or strict)
+;   pct = sampling ratio for punishing failures (default 100 for 100%)
+;   rf = report format
+;   ri = report interval
+_dmarc          TXT "v=DMARC1;p=quarantine;sp=reject;rua=mailto:admin+mail@uninsane.org;ruf=mailto:admin+mail@uninsane.org;fo=1:d:s"