diff --git a/checks/meshnamed/default.nix b/checks/meshnamed/default.nix
index d5c8d555..fa62b4e1 100644
--- a/checks/meshnamed/default.nix
+++ b/checks/meshnamed/default.nix
@@ -14,7 +14,7 @@
   testScript = ''
     start_all()
     machine.wait_for_unit("meshnamed")
-    out = machine.succeed("${pkgs.dnsutils}/bin/dig -p 53535 AAAA foo.7vbx332lkaunatuzsndtanix54.vpn @localhost +short")
+    out = machine.succeed("${pkgs.dnsutils}/bin/dig AAAA foo.7vbx332lkaunatuzsndtanix54.vpn @meshnamed +short")
     print(out)
     assert out.strip() == "fd43:7def:4b50:28d0:4e99:9347:3035:17ef"
   '';
diff --git a/nixosModules/clanCore/meshnamed/default.nix b/nixosModules/clanCore/meshnamed/default.nix
index d6df4dde..804c85de 100644
--- a/nixosModules/clanCore/meshnamed/default.nix
+++ b/nixosModules/clanCore/meshnamed/default.nix
@@ -1,4 +1,7 @@
 { config, lib, pkgs, ... }:
+let
+  localAddress = "fd66:29e9:f422:8dfe:beba:68ec:bd09:7876";
+in
 {
   options.clan.networking.meshnamed = {
     enable = (lib.mkEnableOption "meshnamed") // {
@@ -28,6 +31,24 @@
     };
   };
   config = lib.mkIf config.clan.networking.meshnamed.enable {
+    # we assign this random source address to bind meshnamed to.
+    systemd.network.networks.loopback-addresses = {
+      matchConfig.Name = "lo";
+      networkConfig.Address = [ localAddress ];
+    };
+
+
+    services.resolved.extraConfig = ''
+      [Resolve]
+      DNS=${localAddress}
+      Domains=~${lib.concatMapStringsSep " " (network: network.name) (builtins.attrValues config.clan.networking.meshnamed.networks)}
+    '';
+
+    # for convience, so we can debug with dig
+    networking.extraHosts = ''
+      ${localAddress} meshnamed
+    '';
+
     systemd.services.meshnamed =
       let
         networks = lib.concatMapStringsSep "," (network: "${network.name}=${network.subnet}")
@@ -38,7 +59,10 @@
         after = [ "network.target" ];
         serviceConfig = {
           Type = "simple";
-          ExecStart = "${pkgs.callPackage ../../../pkgs/meshname/default.nix { }}/bin/meshnamed -networks ${networks}";
+          ExecStart = "${pkgs.callPackage ../../../pkgs/meshname/default.nix { }}/bin/meshnamed -networks ${networks} -listenaddr [${localAddress}]:53";
+
+          # to bind port 53
+          AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
           DynamicUser = true;
         };
       };