diff --git a/options/services.nix b/options/services.nix
index cfb1037..a3020e4 100644
--- a/options/services.nix
+++ b/options/services.nix
@@ -12,5 +12,6 @@ in
     nextcloud.enable = mkEnableOption "nextcloud";
     syncthing.enable = mkEnableOption "syncthing";
     openvpn.enable = mkEnableOption "openvpn";
+    stubby.enable = mkEnableOption "stubby";
   };
 }
diff --git a/profiles/homeserver.nix b/profiles/homeserver.nix
index 4dc0b5d..986815e 100644
--- a/profiles/homeserver.nix
+++ b/profiles/homeserver.nix
@@ -35,6 +35,7 @@
       nextcloud.enable = true;
       syncthing.enable = true;
       openvpn.enable = true;
+      stubby.enable = true;
     };
   };
 }
diff --git a/system/services/default.nix b/system/services/default.nix
index 492e9ee..ba1bb0a 100644
--- a/system/services/default.nix
+++ b/system/services/default.nix
@@ -9,5 +9,6 @@
     ./syncthing.nix
     ./kavita.nix
     ./openvpn.nix
+    ./stubby.nix
   ];
 }
diff --git a/system/services/stubby.nix b/system/services/stubby.nix
new file mode 100644
index 0000000..e1b1daa
--- /dev/null
+++ b/system/services/stubby.nix
@@ -0,0 +1,20 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.profile.services.stubby;
+  inherit (lib) mkIf;
+in
+{
+  config = mkIf cfg.enable {
+    services.stubby = {
+      enable = true;
+      settings = pkgs.stubby.passthru.settingsExample // {
+        upstream_recursive_servers = [
+          {
+            address_data = "1.1.1.1";
+            tls_auth_name = "cloudflare-dns.com";
+          }
+        ];
+      };
+    };
+  };
+}