diff --git a/data.nix b/data.nix
index b6a8ccf..da0b62b 100644
--- a/data.nix
+++ b/data.nix
@@ -24,6 +24,7 @@ rec {
     immich-server = 3002;
     immich-machine-learning = 3003; # as of writing, hardcoded in the immich module
 
+    nsd-unwrapped = 5353;
     soju = 6697;
     soju-ws = 6698;
     matrix-synapse = 8008;
diff --git a/hosts/fra1-b/configuration.nix b/hosts/fra1-b/configuration.nix
index 213cd7b..650f54d 100644
--- a/hosts/fra1-b/configuration.nix
+++ b/hosts/fra1-b/configuration.nix
@@ -14,6 +14,7 @@ in
     motiejus-passwd-hash.file = ../../secrets/motiejus_passwd_hash.age;
     root-passwd-hash.file = ../../secrets/root_passwd_hash.age;
     sasl-passwd.file = ../../secrets/postfix_sasl_passwd.age;
+    iodine-passwd.file = ../../secrets/iodine.age;
     ssh8022-server = {
       file = ../../secrets/ssh8022.age;
       owner = "spiped";
@@ -115,8 +116,16 @@ in
   };
 
   services = {
+    iodine.server = {
+      enable = true;
+      ip = "172.16.10.1/24";
+      passwordFile = config.age.secrets.iodine-passwd.path;
+      extraConfig = "-p ${toString myData.ports.nsd-unwrapped}";
+    };
+
     nsd = {
       enable = true;
+      port = myData.ports.nsd-unwrapped;
       interfaces = [
         "0.0.0.0"
         "::"
diff --git a/secrets.nix b/secrets.nix
index 24b2477..a053664 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -71,4 +71,5 @@ in
   "secrets/root_passwd_hash.age"
   "secrets/postfix_sasl_passwd.age"
   "secrets/ssh8022.age"
+  "secrets/iodine.age"
 ]
diff --git a/secrets/iodine.age b/secrets/iodine.age
new file mode 100644
index 0000000..805e5a4
Binary files /dev/null and b/secrets/iodine.age differ