diff --git a/configurations/nixos/x86_64-linux/alnitak.nix b/configurations/nixos/x86_64-linux/alnitak.nix
index 1ef57080d..ef2e5f780 100644
--- a/configurations/nixos/x86_64-linux/alnitak.nix
+++ b/configurations/nixos/x86_64-linux/alnitak.nix
@@ -43,27 +43,27 @@
     args.auth-key = "file:/var/run/agenix/ts-google-9k";
   };
 
-  services.jae.router = {
-    enable = true;
-    useNextDns = true;
-    nextDnsEnvFile = "/var/run/agenix/nextdns";
-    restrictedMacs = [
-      "5c:e0:c5:8a:24:6a"
-      "b4:18:d1:ab:4e:5a"
-    ];
-    upstreamDnsServers = [
-      "2a07:a8c1::"
-      "45.90.30.0"
-      "2a07:a8c0::"
-      "45.90.28.0"
-    ];
-    externalInterface = "enp1s0";
-    internalInterface = "enp2s0";
-    internalInterfaceIP = "192.168.20.1";
-    dnsMasqSettings.no-resolv = true;
-    dnsMasqSettings.bogus-priv = true;
-    dnsMasqSettings.strict-order = true;
-  };
+  # services.jae.router = {
+  #   enable = true;
+  #   useNextDns = true;
+  #   nextDnsEnvFile = "/var/run/agenix/nextdns";
+  #   restrictedMacs = [
+  #     "5c:e0:c5:8a:24:6a"
+  #     "b4:18:d1:ab:4e:5a"
+  #   ];
+  #   upstreamDnsServers = [
+  #     "2a07:a8c1::"
+  #     "45.90.30.0"
+  #     "2a07:a8c0::"
+  #     "45.90.28.0"
+  #   ];
+  #   externalInterface = "enp1s0";
+  #   internalInterface = "enp2s0";
+  #   internalInterfaceIP = "192.168.20.1";
+  #   dnsMasqSettings.no-resolv = true;
+  #   dnsMasqSettings.bogus-priv = true;
+  #   dnsMasqSettings.strict-order = true;
+  # };
 
   age.secrets = {
     ts-google-9k = {
diff --git a/configurations/nixos/x86_64-linux/cygnus.nix b/configurations/nixos/x86_64-linux/cygnus.nix
index a546710d0..58ed33699 100644
--- a/configurations/nixos/x86_64-linux/cygnus.nix
+++ b/configurations/nixos/x86_64-linux/cygnus.nix
@@ -41,11 +41,11 @@
 
   networking.useDHCP = false;
 
-  networking.nameservers = lib.mkForce [];
+  # networking.nameservers = lib.mkForce [];
   services.resolved = {
     enable = true;
     ## have fallbacks in case something is wrong
-    fallbackDns = ["1.0.0.1" "1.1.1.1" "2606:4700:4700::1111" "2606:4700:4700::1001"];
+    # fallbackDns = ["1.0.0.1" "1.1.1.1" "2606:4700:4700::1111" "2606:4700:4700::1001"];
     ## for some reason, systemd-resolved thinks upstream doesn't respond sometimes
     ## so we need to disable caching negative responses (plus some other stuff)
     ## again - this is about using tailscale dns only
@@ -67,7 +67,7 @@
         networkConfig.IPv6PrivacyExtensions = "yes";
         networkConfig.IPv6AcceptRA = "yes";
         ## don't use this by default (rely on tailscale dns only)
-        networkConfig.DNSDefaultRoute = false;
+        # networkConfig.DNSDefaultRoute = false;
       };
     };
   };
diff --git a/configurations/nixos/x86_64-linux/sagittarius.nix b/configurations/nixos/x86_64-linux/sagittarius.nix
index da2c0b613..a63819501 100644
--- a/configurations/nixos/x86_64-linux/sagittarius.nix
+++ b/configurations/nixos/x86_64-linux/sagittarius.nix
@@ -5,7 +5,56 @@
   pkgs,
   lib,
   ...
-}: {
+}:
+let
+  # Detect public IPv4 from the WAN interface
+  getPublicIpv4 = pkgs.writeShellScript "get-public-ipv4" ''
+    ${pkgs.iproute2}/bin/ip -4 -json addr show dev enp1s0f0 scope global | \
+      ${pkgs.jq}/bin/jq -r '.[0].addr_info[0].local // empty'
+  '';
+
+  # Generate Jool NAT64 config with detected IP
+  generateJoolConfig = pkgs.writeShellScript "generate-jool-config" ''
+    PUBLIC_IP=$(${getPublicIpv4})
+
+    if [ -z "$PUBLIC_IP" ]; then
+      echo "ERROR: Could not detect public IPv4 address on enp1s0f0" >&2
+      exit 1
+    fi
+
+    echo "Configuring Jool NAT64 with public IP: $PUBLIC_IP" >&2
+
+    # Generate the JSON config with the detected IP
+    cat > /run/jool-nat64-default.conf <<EOF
+    {
+      "instance": "default",
+      "framework": "netfilter",
+      "global": {
+        "pool6": "64:ff9b::/96",
+        "manually-enabled": true
+      },
+      "pool4": [
+        {
+          "protocol": "TCP",
+          "prefix": "$PUBLIC_IP/32",
+          "port range": "10000-65535"
+        },
+        {
+          "protocol": "UDP",
+          "prefix": "$PUBLIC_IP/32",
+          "port range": "10000-65535"
+        },
+        {
+          "protocol": "ICMP",
+          "prefix": "$PUBLIC_IP/32",
+          "port range": "10000-65535"
+        }
+      ]
+    }
+    EOF
+  '';
+in
+{
   publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINssAv/UibH5i9JxHFFWNNodKzmjYvPxx4mhTys3S1ZX";
 
   bcachefs = {
@@ -82,33 +131,53 @@
 
   services.jae.router = {
     enable = true;
-    useNextDns = true;
-    nextDnsEnvFile = "/var/run/agenix/nextdns";
-    restrictedMacs = [
-      "5c:e0:c5:8a:24:6a"
-      "b4:18:d1:ab:4e:5a"
-    ];
-    upstreamDnsServers = [
-      "2a07:a8c1::"
-      "45.90.30.0"
-      "2a07:a8c0::"
-      "45.90.28.0"
-    ];
+    # restrictedMacs = [
+    #   "5c:e0:c5:8a:24:6a"
+    #   "b4:18:d1:ab:4e:5a"
+    # ];
+    # upstreamDnsServers = [
+    #   "2a07:a8c1::"
+    #   "45.90.30.0"
+    #   "2a07:a8c0::"
+    #   "45.90.28.0"
+    # ];
     externalInterface = "enp1s0f0";
     internalInterface = "enp2s0";
-    internalInterfaceIP = "192.168.20.1";
-    dnsMasqSettings.no-resolv = true;
-    dnsMasqSettings.bogus-priv = true;
-    dnsMasqSettings.strict-order = true;
+    # internalInterfaceIP = "192.168.20.1";
+    # dnsMasqSettings.no-resolv = true;
+    # dnsMasqSettings.bogus-priv = true;
+    # dnsMasqSettings.strict-order = true;
   };
 
-  services.prometheus.exporters = {
-    dnsmasq = {
-      enable = true;
-      dnsmasqListenAddress = "localhost:5342";
+  ## NAT64 configuration for IPv6-only clients to access IPv4 services
+  ## The public IPv4 address is automatically detected from enp1s0f0 at service start.
+  ## Note: While Jool is running, the router itself cannot access IPv4 services.
+  ## Workaround: Temporarily stop Jool when router needs IPv4 access:
+  ##   systemctl stop jool-nat64-default.service
+  ##   systemctl start jool-nat64-default.service
+  networking.jool.enable = true;
+
+  systemd.services.jool-nat64-default = {
+    after = ["network-online.target" "systemd-networkd.service"];
+    wants = ["network-online.target"];
+
+    serviceConfig = {
+      ExecStartPre = [
+        "${pkgs.kmod}/bin/modprobe jool"
+        generateJoolConfig
+      ];
+      ExecStart = lib.mkForce "${pkgs.jool-cli}/bin/jool file handle /run/jool-nat64-default.conf";
+      ExecStop = lib.mkForce "${pkgs.jool-cli}/bin/jool instance remove default";
     };
   };
 
+  # services.prometheus.exporters = {
+  #   dnsmasq = {
+  #     enable = true;
+  #     dnsmasqListenAddress = "localhost:5342";
+  #   };
+  # };
+
   services.vmagent = {
     prometheusConfig = let
       relabel_configs = [
@@ -120,14 +189,14 @@
       ];
     in {
       scrape_configs = [
-        {
-          job_name = "dnsmasq";
-          scrape_interval = "10s";
-          static_configs = [
-            {targets = ["127.0.0.1:9153"];}
-          ];
-          inherit relabel_configs;
-        }
+        # {
+        #   job_name = "dnsmasq";
+        #   scrape_interval = "10s";
+        #   static_configs = [
+        #     {targets = ["127.0.0.1:9153"];}
+        #   ];
+        #   inherit relabel_configs;
+        # }
         {
           job_name = "corerad";
           scrape_interval = "10s";
diff --git a/modules/router.nix b/modules/router.nix
index f1997e19e..3ac82b9b5 100644
--- a/modules/router.nix
+++ b/modules/router.nix
@@ -42,17 +42,14 @@
 in {
   options.services.jae.router = with lib.types; {
     enable = mkEnableOption "Whether to enable the router";
-    #disableDns = mkEnableOption "Whether to disable dns server";
-    useNextDns = mkEnableOption "Whether to use nextdns DoH for name resolution";
-    nextDnsEnvFile = mkOption {
-      type = nullOr str;
-      example = "/path/to/envfile";
-      default = null;
-    };
     upstreamDnsServers = mkOption {
       type = listOf str;
       description = "List of upstream dns server addresses.";
     };
+    # disableIPv4 = mkOption {
+    #   type = bool;
+    #   description = "If ipv4 should be disabled on the local network.";
+    # };
     restrictedMacs = mkOption {
       type = listOf str;
       description = "List of mac addresses.";
@@ -115,33 +112,17 @@ in {
           internalInterfaces);
     };
 
-    networking.nat = {
-      enable = true;
-      inherit (cfg) externalInterface;
-      internalInterfaces = internalInterfaceNames;
-    };
+    # networking.nat = {
+    #   enable = !cfg.disableIPv4;
+    #   inherit (cfg) externalInterface;
+    #   internalInterfaces = internalInterfaceNames;
+    # };
 
     environment.persistence."/keep".directories = ["/var/lib/dnsmasq"];
 
-    systemd.timers.kill-nextdns = {
-      description = "Kill nextdns 5 minutes after boot. What a hack.";
-      wantedBy = ["timers.target"];
-      timerConfig.OnBootSec = "5m";
-    };
-    systemd.services.kill-nextdns = {
-      description = "Kill nextdns 5 minutes after boot. What a hack.";
-      after = ["network-online.target"];
-      wants = ["network-online.target"];
-      wantedBy = ["multi-user.target"];
-      serviceConfig = {
-        Type = "oneshot";
-        ExecStartPre = "/run/current-system/sw/bin/pkill -9 nextdns";
-        ExecStart = "/run/current-system/sw/bin/systemctl restart nextdns";
-      };
-    };
+    ## NAT64 (Jool) should be configured per-host in the host configuration
+    ## See configurations/nixos/x86_64-linux/sagittarius.nix for example
 
-    ## enable jool nat64
-    networking.jool.enable = true;
     ## enable ipv6 on local network
     services.corerad = {
       enable = true;
@@ -151,15 +132,6 @@ in {
           prometheus = true;
         };
         interfaces = [
-          {
-            name = "pref64";
-            advertise = true;
-            prefix = [
-              {
-                prefix = "64:ff9b::/96";
-              }
-            ];
-          }
           {
             name = cfg.internalInterface;
             advertise = true;
@@ -179,36 +151,63 @@ in {
       };
     };
 
-    services.dnsmasq.enable = true;
-    services.dnsmasq.resolveLocalQueries = true;
-    services.dnsmasq.settings =
-      {
-        dhcp-range = mapAttrsToList (tag: net: "${tag},${net.base}.10,${net.base}.128,255.255.255.0,24h") internalInterfaces;
-        dhcp-option = (mapAttrsToList (tag: net: "${tag},option:router,${net.address}") internalInterfaces) ++ ["option:dns-server,${cfg.internalInterfaceIP}"];
-        interface = internalInterfaceNames;
-      }
-      // {
-        server = mkIf (!cfg.useNextDns) cfg.upstreamDnsServers;
-        # server = mkMerge [
-        #   (mkIf (!cfg.useNextDns) cfg.upstreamDnsServers)
-        #   (mkIf cfg.useNextDns ["127.0.0.1#5555"])
-        # ];
-        dhcp-authoritative = true;
-        dhcp-leasefile = "/var/lib/dnsmasq/dnsmasq.leases";
-        add-mac = "text";
-        add-subnet = "32,128";
-        port = 5342;
-      }
-      // cfg.dnsMasqSettings;
+    #     . {
+    #     bind ::
+    #     dns64 64:ff9b::/96
+    #     forward . tls://2606:4700:4700::1111 {
+    #         tls_servername 1dot1dot1dot1.cloudflare-dns.com
+    #     }
+    #     cache 30
+    #     log
+    #     errors
+    # }
 
-    services.resolved.enable = false;
-    services.nextdns.enable = cfg.useNextDns;
-    services.nextdns.arguments = (flatten (map (mac: ["-profile" "${mac}=\${KIDSDNS_ID}"]) cfg.restrictedMacs)) ++ ["-profile" "${cfg.internalInterfaceIP}/24=\${NEXTDNS_ID}" "-cache-size" "10MB" "-discovery-dns" "127.0.0.1:5342" "-report-client-info" "-listen" "${cfg.internalInterfaceIP}:53" "-listen" "127.0.0.1:53"];
-    systemd.services.nextdns = mkIf cfg.useNextDns {
-      serviceConfig.EnvironmentFile = cfg.nextDnsEnvFile;
-      after = ["systemd-networkd-wait-online.service"];
+    services.coredns = {
+      enable = true;
+      config = ''
+        . {
+            bind ::
+            dns64 64:ff9b::/96
+            forward . tls://2606:4700:4700::1111 {
+                tls_servername 1dot1dot1dot1.cloudflare-dns.com
+            }
+            cache 300
+            log
+        }
+      '';
     };
 
+    # services.dnsmasq.enable = true;
+    # services.dnsmasq.resolveLocalQueries = true;
+    # services.dnsmasq.settings =
+    #   {
+    #     dhcp-range = lib.mkIf (!cfg.disableIPv4) mapAttrsToList (tag: net: "${tag},${net.base}.10,${net.base}.128,255.255.255.0,24h") internalInterfaces;
+    #     dhcp-option = lib.mkIf (!cfg.disableIPv4) (mapAttrsToList (tag: net: "${tag},option:router,${net.address}") internalInterfaces) ++ ["option:dns-server,${cfg.internalInterfaceIP}"];
+    #     interface = internalInterfaceNames;
+    #     except-interface = cfg.externalInterface;
+    #   }
+    #   // {
+    #     server = mkIf (!cfg.useNextDns) cfg.upstreamDnsServers;
+    #     # server = mkMerge [
+    #     #   (mkIf (!cfg.useNextDns) cfg.upstreamDnsServers)
+    #     #   (mkIf cfg.useNextDns ["127.0.0.1#5555"])
+    #     # ];
+    #     dhcp-authoritative = true;
+    #     dhcp-leasefile = "/var/lib/dnsmasq/dnsmasq.leases";
+    #     add-mac = "text";
+    #     add-subnet = "32,128";
+    #     port = 5342;
+    #   }
+    #   // cfg.dnsMasqSettings;
+
+    services.resolved.enable = false;
+    # services.nextdns.enable = cfg.useNextDns;
+    # services.nextdns.arguments = (flatten (map (mac: ["-profile" "${mac}=\${KIDSDNS_ID}"]) cfg.restrictedMacs)) ++ ["-profile" "${cfg.internalInterfaceIP}/24=\${NEXTDNS_ID}" "-cache-size" "10MB" "-discovery-dns" "127.0.0.1:5342" "-report-client-info" "-listen" "${cfg.internalInterfaceIP}:53" "-listen" "127.0.0.1:53"];
+    # systemd.services.nextdns = mkIf cfg.useNextDns {
+    #   serviceConfig.EnvironmentFile = cfg.nextDnsEnvFile;
+    #   after = ["systemd-networkd-wait-online.service"];
+    # };
+
     boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;
     boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = true;
 
diff --git a/profiles/defaults.nix b/profiles/defaults.nix
index 99a6deb36..c661dafe0 100644
--- a/profiles/defaults.nix
+++ b/profiles/defaults.nix
@@ -103,7 +103,7 @@ in {
   home-manager.useUserPackages = true;
   home-manager.useGlobalPkgs = true;
 
-  networking.nameservers = ["1.0.0.1" "1.1.1.1" "2606:4700:4700::1111" "2606:4700:4700::1001"];
+  # networking.nameservers = ["1.0.0.1" "1.1.1.1" "2606:4700:4700::1111" "2606:4700:4700::1001"];
 
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;