diff --git a/hosts/ward/microvms/adguardhome.nix b/hosts/ward/microvms/adguardhome.nix
index 0caaf7b..48a6452 100644
--- a/hosts/ward/microvms/adguardhome.nix
+++ b/hosts/ward/microvms/adguardhome.nix
@@ -49,7 +49,6 @@ in {
       bind_host = config.meta.wireguard.proxy-sentinel.ipv4;
       bind_port = 3000;
       dns = {
-        edns_client_subnet.enabled = false;
         bind_hosts = [
           # This dummy address passes the configuration check and will
           # later be replaced by the actual interface address.
@@ -60,15 +59,15 @@ in {
         #trusted_proxied = [];
         ratelimit = 60;
         upstream_dns = [
+          "1.1.1.1"
+          "2606:4700:4700::1111"
           "8.8.8.8"
-          "8.8.4.4"
-          "2001:4860:4860::8888"
           "2001:4860:4860::8844"
         ];
         bootstrap_dns = [
+          "1.1.1.1"
+          "2606:4700:4700::1111"
           "8.8.8.8"
-          "8.8.4.4"
-          "2001:4860:4860::8888"
           "2001:4860:4860::8844"
         ];
         dhcp.enabled = false;
@@ -82,5 +81,6 @@ in {
       INTERFACE_ADDR=$(${pkgs.iproute2}/bin/ip -family inet -brief addr show wan | grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+")
       sed -i -e "s/123.123.123.123/$INTERFACE_ADDR/" "$STATE_DIRECTORY/AdGuardHome.yaml"
     '';
+    serviceConfig.RestartSec = lib.mkForce "600"; # Retry every 10 minutes
   };
 }
diff --git a/hosts/ward/microvms/grafana.nix b/hosts/ward/microvms/grafana.nix
index 0f50b95..2ab4604 100644
--- a/hosts/ward/microvms/grafana.nix
+++ b/hosts/ward/microvms/grafana.nix
@@ -129,5 +129,8 @@ in {
     };
   };
 
-  systemd.services.grafana.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
+  systemd.services.grafana = {
+    after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
+    serviceConfig.RestartSec = "600"; # Retry every 10 minutes
+  };
 }
diff --git a/hosts/ward/microvms/influxdb.nix b/hosts/ward/microvms/influxdb.nix
index 54ddfcf..5417c15 100644
--- a/hosts/ward/microvms/influxdb.nix
+++ b/hosts/ward/microvms/influxdb.nix
@@ -59,5 +59,8 @@ in {
     };
   };
 
-  systemd.services.influxdb2.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
+  systemd.services.influxdb2 = {
+    after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
+    serviceConfig.RestartSec = "600"; # Retry every 10 minutes
+  };
 }
diff --git a/hosts/ward/microvms/kanidm.nix b/hosts/ward/microvms/kanidm.nix
index dfb9621..c6bd38f 100644
--- a/hosts/ward/microvms/kanidm.nix
+++ b/hosts/ward/microvms/kanidm.nix
@@ -72,5 +72,8 @@ in {
     };
   };
 
-  systemd.services.kanidm.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
+  systemd.services.kanidm = {
+    after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
+    serviceConfig.RestartSec = "600"; # Retry every 10 minutes
+  };
 }
diff --git a/hosts/ward/microvms/loki.nix b/hosts/ward/microvms/loki.nix
index e94af50..0817baa 100644
--- a/hosts/ward/microvms/loki.nix
+++ b/hosts/ward/microvms/loki.nix
@@ -127,5 +127,8 @@ in {
     };
   };
 
-  systemd.services.loki.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
+  systemd.services.loki = {
+    after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
+    serviceConfig.RestartSec = "600"; # Retry every 10 minutes
+  };
 }
diff --git a/hosts/ward/microvms/vaultwarden.nix b/hosts/ward/microvms/vaultwarden.nix
index 7265b6d..b76f87e 100644
--- a/hosts/ward/microvms/vaultwarden.nix
+++ b/hosts/ward/microvms/vaultwarden.nix
@@ -90,5 +90,6 @@ in {
   systemd.services.vaultwarden = {
     after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
     serviceConfig.StateDirectory = lib.mkForce "vaultwarden";
+    serviceConfig.RestartSec = "600"; # Retry every 10 minutes
   };
 }
diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix
index 7edd200..ad31253 100644
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@@ -41,6 +41,7 @@ in {
     };
     "10-wan" = {
       DHCP = "yes";
+      dhcpConfig.UseDNS = false;
       #address = [
       #  "192.168.178.2/24"
       #  "fdee::1/64"
diff --git a/hosts/zackbiene/net.nix b/hosts/zackbiene/net.nix
index 77e8e4d..66e0583 100644
--- a/hosts/zackbiene/net.nix
+++ b/hosts/zackbiene/net.nix
@@ -16,6 +16,7 @@ in {
   systemd.network.networks = {
     "10-lan1" = {
       DHCP = "yes";
+      dhcpConfig.UseDNS = false;
       matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan1.mac;
       networkConfig = {
         IPv6PrivacyExtensions = "yes";
diff --git a/modules/meta/microvms.nix b/modules/meta/microvms.nix
index 11d8809..9e02e78 100644
--- a/modules/meta/microvms.nix
+++ b/modules/meta/microvms.nix
@@ -174,6 +174,7 @@
             "10-${vmCfg.networking.mainLinkName}" = {
               matchConfig.MACAddress = mac;
               DHCP = "yes";
+              dhcpConfig.UseDNS = false;
               networkConfig = {
                 IPv6PrivacyExtensions = "yes";
                 MulticastDNS = true;