diff --git a/flake.lock b/flake.lock
index 9a8b705..49f2262 100644
--- a/flake.lock
+++ b/flake.lock
@@ -63,6 +63,29 @@
         "type": "github"
       }
     },
+    "dns": {
+      "inputs": {
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1716554081,
+        "narHash": "sha256-N70c7NLGdp4zmKTEJa0zViJ8SRIN2OFi22cxN7NR1bk=",
+        "owner": "NickCao",
+        "repo": "dns.nix",
+        "rev": "cd98f05212793e9e8102fcb101748aa135a719b3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NickCao",
+        "repo": "dns.nix",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -395,6 +418,7 @@
           "devshell"
         ],
         "disko": "disko",
+        "dns": "dns",
         "flake-compat": [
           "rebmit",
           "flake-compat"
diff --git a/flake.nix b/flake.nix
index 0193cc7..769cfc9 100644
--- a/flake.nix
+++ b/flake.nix
@@ -69,6 +69,11 @@
 
     rebmit.url = "github:rebmit/nix-exprs";
     flake-utils.url = "github:numtide/flake-utils";
+    dns = {
+      url = "github:NickCao/dns.nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.flake-utils.follows = "flake-utils";
+    };
 
     # misc
 
diff --git a/zones/common.nix b/zones/common.nix
new file mode 100644
index 0000000..02ec582
--- /dev/null
+++ b/zones/common.nix
@@ -0,0 +1,24 @@
+let
+  data = builtins.fromJSON (builtins.readFile ./data.json);
+in
+rec {
+  TTL = 60;
+  SOA = {
+    nameServer = "${primary}.rebmit.link.";
+    adminEmail = "noc@rebmit.moe";
+    serial = 0;
+    refresh = 14400;
+    retry = 3600;
+    expire = 604800;
+    minimum = 300;
+  };
+  NS = map (name: "${name}.rebmit.link.") nameservers;
+
+  primary = "reisen-fra0";
+  secondary = [
+    "reisen-sea0"
+    "reisen-nrt0"
+  ];
+  nameservers = [ primary ] ++ secondary;
+  hosts = data.hosts;
+}
diff --git a/zones/rebmit.link.nix b/zones/rebmit.link.nix
new file mode 100644
index 0000000..381c936
--- /dev/null
+++ b/zones/rebmit.link.nix
@@ -0,0 +1,25 @@
+{ dns, lib, ... }:
+with dns.lib.combinators;
+let
+  common = import ./common.nix;
+  hosts = lib.filterAttrs (_name: value: value.endpoints != [ ]) common.hosts;
+in
+dns.lib.toString "rebmit.link" {
+  inherit (common)
+    TTL
+    SOA
+    NS
+    ;
+  subdomains = builtins.mapAttrs (_name: value: {
+    A = value.endpoints_v4;
+    AAAA = value.endpoints_v6;
+    HTTPS = [
+      {
+        alpn = [
+          "h3"
+          "h2"
+        ];
+      }
+    ];
+  }) hosts;
+}
diff --git a/zones/rebmit.moe.nix b/zones/rebmit.moe.nix
new file mode 100644
index 0000000..5085232
--- /dev/null
+++ b/zones/rebmit.moe.nix
@@ -0,0 +1,28 @@
+{ dns, lib, ... }:
+with dns.lib.combinators;
+let
+  common = import ./common.nix;
+  inherit (common.hosts) suwako-vie0;
+in
+dns.lib.toString "rebmit.moe" {
+  inherit (common)
+    TTL
+    SOA
+    NS
+    ;
+  A = suwako-vie0.endpoints_v4;
+  AAAA = suwako-vie0.endpoints_v6;
+  HTTPS = [
+    {
+      alpn = [
+        "h3"
+        "h2"
+      ];
+    }
+  ];
+  subdomains = {
+    keycloak.CNAME = [ "suwako-vie0.rebmit.link." ];
+    matrix.CNAME = [ "suwako-vie0.rebmit.link." ];
+    ntfy.CNAME = [ "suwako-vie0.rebmit.link." ];
+  };
+}