diff --git a/ansible/hermes.yml b/ansible/hermes.yml
index fb6163a..0338a47 100644
--- a/ansible/hermes.yml
+++ b/ansible/hermes.yml
@@ -19,6 +19,10 @@
       changed_when: "'..' in cloudinit.stdout"
     - name: Gather facts
       setup:
+    - name: Copy resolv.conf
+      copy:
+        src: resolv.conf
+        dest: /etc/resolv.conf
     - name: Update repositories
       apt:
         autoremove: true
diff --git a/ansible/resolv.conf b/ansible/resolv.conf
new file mode 100644
index 0000000..14b2a3d
--- /dev/null
+++ b/ansible/resolv.conf
@@ -0,0 +1 @@
+nameserver 192.168.30.1
diff --git a/ansible/roles/dnsmasq/files/dnsmasq.conf b/ansible/roles/dnsmasq/files/dnsmasq.conf
index d33a612..d1657de 100644
--- a/ansible/roles/dnsmasq/files/dnsmasq.conf
+++ b/ansible/roles/dnsmasq/files/dnsmasq.conf
@@ -13,7 +13,7 @@ expand-hosts
 # Domain that is used for DHCP on this network
 domain=dmz
 # IPv4 DHCP range
-dhcp-range=192.168.30.100,192.168.30.200,infinite
+dhcp-range=192.168.30.100,192.168.30.200,15m
 # Predefined DHCP hosts
 dhcp-host=b8:27:eb:b9:ab:e2,esrom
 dhcp-host=b4:2e:99:77:1b:da,max,192.168.30.3
@@ -29,11 +29,13 @@ ra-param=*,0,0
 # Alias public IP address to local
 alias=84.245.14.149,192.168.30.3
 # Override DNS servers for our domains
-server=/pizzapim.nl/192.168.30.7#5353
-server=/geokunis2.nl/192.168.30.7#5353
-server=/pim.kunis.nl/192.168.30.7#5353
+server=/pizzapim.nl/192.168.30.7
+server=/geokunis2.nl/192.168.30.7
+server=/pim.kunis.nl/192.168.30.7
 # Enable extended logging
 log-dhcp
 log-queries
 # Resolve dns.dmz to addresses on main NIC
 interface-name=hermes.dmz,ens3
+# Non-conventional port because we also run nsd on this machine
+port=5353
diff --git a/ansible/roles/dnsmasq/tasks/main.yml b/ansible/roles/dnsmasq/tasks/main.yml
index 1b2eb21..405be6c 100644
--- a/ansible/roles/dnsmasq/tasks/main.yml
+++ b/ansible/roles/dnsmasq/tasks/main.yml
@@ -10,8 +10,9 @@
   copy:
     src: "{{ role_path }}/files/dnsmasq.conf"
     dest: "/etc/dnsmasq.conf"
+  register: config
 - name: Enable dnsmasq
   systemd:
     name: dnsmasq
     enabled: true
-    state: started
+    state: "{{ 'restarted' if config.changed else 'started' }}"
diff --git a/ansible/roles/nsd/files/nsd.conf b/ansible/roles/nsd/files/nsd.conf
index ac45565..50939a3 100644
--- a/ansible/roles/nsd/files/nsd.conf
+++ b/ansible/roles/nsd/files/nsd.conf
@@ -1,6 +1,6 @@
 server:
         ip-address: ens3
-	port: 5353
+	port: 53
         server-count: 1
         verbosity: 1
         hide-version: yes
@@ -15,7 +15,12 @@ zone:
 zone:
 	name: pizzapim.nl
 	zonefile: pizzapim.nl
+	provide-xfr: 87.253.155.96/27 NOKEY
+        provide-xfr: 157.97.168.160/27 NOKEY
+
 
 zone:
 	name: geokunis2.nl
 	zonefile: geokunis2.nl
+	provide-xfr: 87.253.155.96/27 NOKEY
+        provide-xfr: 157.97.168.160/27 NOKEY