{
  services.dnsmasq = {
    enable = true;
    alwaysKeepRunning = true;
    settings = {
      domain = "lab";
      expand-hosts = true;
      domain-needed = true;

      # interface = "eth0";  # Replace with your real interface
      bind-interfaces = true;

      local = [
        "/lab/"
        "/procopius.dk/"
      ];
      bogus-priv = true;
      no-resolv = true;

      # no-hosts = true; # Prevent 127.0.0.2 etc from leaking in
      server = [
        "8.8.8.8"
        "8.8.4.4"
        "1.1.1.1"
        "1.0.0.1"
      ];

      # Static DNS entry: map hostname to IP (without DHCP)
      address = [
        # Static IPs
        "/dns.lab/192.168.1.53"
        "/traefik.lab/192.168.1.80"
        "/mail.lab/192.168.1.25"
        # "/proxmox-01.lab/192.168.1.205"
        # "/nas-01.lab/192.168.1.226"

        "/mail.procopius.dk/213.32.245.247"

        # Split Horizon DNS
        "/procopius.dk/192.168.1.80"
        "/.procopius.dk/192.168.1.80"
      ];

      cache-size = 10000;

      dhcp-authoritative = true;
      dhcp-range = "192.168.1.100,192.168.1.254,12h";
      dhcp-host = "bc:24:11:58:f5:da,dns,192.168.1.53";
      # "Use 192.168.1.53 as your DNS server."
      dhcp-option = [
        "option:router,192.168.1.1" # router
        "option:dns-server,192.168.1.53" # DNS server (this VM)
      ];

      log-queries = true;
      localise-queries = true;
      log-async = true;
      # log-facility = "/var/log/dnsmasq/dnsmasq.log";
    };
  };

  services.prometheus.exporters.dnsmasq.enable = true;
  services.prometheus.exporters.dnsmasq.openFirewall = true;
}