diff --git a/data/zones/noc.eh22.intern.zone b/data/zones/noc.eh22.intern.zone
index 1f6a657..e53b328 100644
--- a/data/zones/noc.eh22.intern.zone
+++ b/data/zones/noc.eh22.intern.zone
@@ -2,5 +2,7 @@ $ORIGIN noc.eh22.intern.
 @ 0 IN SOA auth-dns noc.eh22.easterhegg.eu. 1 7200 3600 3600000 60
 @ 0 IN NS 10.20.25.3.
 auth-dns 0 IN A 10.20.25.3
+grafana 0 IN A 10.20.25.4
 proxmox 0 IN A 10.20.25.1
+resolv-dns 0 IN A 10.20.25.5
 sketchy-router 0 IN A 10.20.25.2
diff --git a/systems/default.nix b/systems/default.nix
index 255d69f..bac10f0 100644
--- a/systems/default.nix
+++ b/systems/default.nix
@@ -42,6 +42,7 @@ in
 {
   # prod hosts
   "auth-dns.noc.eh22.intern" = mkSystem "x86_64-linux" "auth-dns.noc.eh22.intern";
+  "resolv-dns.noc.eh22.intern" = mkSystem "x86_64-linux" "resolv-dns.noc.eh22.intern";
 
   # staging temp infra
   "sketchy-router.noc.eh22.intern" = mkSystem "x86_64-linux" "sketchy-router.noc.eh22.intern";
diff --git a/systems/resolv-dns.noc.eh22.intern/kresd-config.lua b/systems/resolv-dns.noc.eh22.intern/kresd-config.lua
new file mode 100644
index 0000000..52771e1
--- /dev/null
+++ b/systems/resolv-dns.noc.eh22.intern/kresd-config.lua
@@ -0,0 +1,23 @@
+-- ref: https://www.knot-resolver.cz/documentation/stable/config-overview.html
+
+-- load non-default modules
+modules.load("view")
+modules.load("prefill")
+
+-- define list of internal-only domains
+ehDomains = policy.todnames({'noc.eh22.intern'})
+
+-- for the mgmt-network, forward ehDomains to our authorative server
+view:addr('10.20.25.0/24', policy.suffix(policy.FLAGS({'NO_CACHE'}), ehDomains))
+view:addr('10.20.25.0/24', policy.suffix(policy.STUB({'10.20.25.3'}), ehDomains))
+
+-- allow resolution from our internal network
+view:addr('10.20.25.0/24', policy.all(policy.PASS))
+
+-- precache the root zone to reduce traffic load to it
+prefill.config({
+  ["."] = {
+    url = "https://www.internic.net/domain/root.zone",
+    interval = 24 * 60 * 60,
+  }
+})
diff --git a/systems/resolv-dns.noc.eh22.intern/system.nix b/systems/resolv-dns.noc.eh22.intern/system.nix
new file mode 100644
index 0000000..c6fa428
--- /dev/null
+++ b/systems/resolv-dns.noc.eh22.intern/system.nix
@@ -0,0 +1,36 @@
+{
+  pkgs,
+  lib,
+  ...
+}:
+{
+  imports = [ ];
+
+  # configure static IP address
+  networking.useDHCP = false;
+  systemd.network = {
+    enable = true;
+    networks = {
+      "10-mgmtNet" = {
+        matchConfig.MACAddress = "BC:24:11:61:E3:D9";
+        address = [ "10.20.25.5/24" ];
+        gateway = [ "10.20.25.2" ];
+      };
+    };
+  };
+
+  # enable knot resolv server
+  # ref: https://search.nüschtos.de/?query=services.kresd
+  #      https://www.knot-resolver.cz/documentation/stable/
+  services.kresd = {
+    enable = true;
+    instances = 4;
+    listenPlain = [ "53" ];
+    extraConfig = builtins.readFile ./kresd-config.lua;
+  };
+
+  # DO NOT CHANGE
+  # this defines the first version of NixOS that was installed on the machine so that programs with non-migratable data files are kept compatible
+  home-manager.users.noc.home.stateVersion = "24.11";
+  system.stateVersion = "24.11";
+}