diff --git a/hw/orion/default.nix b/hw/orion/default.nix
index 1abcaa3..384f250 100644
--- a/hw/orion/default.nix
+++ b/hw/orion/default.nix
@@ -17,8 +17,8 @@
     networking.firewall.allowedTCPPorts = [ 53 443 8443 9443 8080 9090 ];
     networking.firewall.allowedUDPPorts = [ 53 ];
 
-    # Route internal Metacircular zones to rift's own CoreDNS.
-    networking.nameservers = [ "192.168.88.181" "100.95.252.120" ];
+    # DNS: MCNS for internal zones, public resolvers as fallback.
+    networking.nameservers = [ "192.168.88.181" "100.95.252.120" "1.1.1.1" "8.8.8.8" ];
     services.resolved.domains = [ "~mcp.metacircular.net" ];
   };
 
diff --git a/hw/rift/default.nix b/hw/rift/default.nix
index 3e64b62..8a5f6e0 100644
--- a/hw/rift/default.nix
+++ b/hw/rift/default.nix
@@ -22,8 +22,8 @@
     networking.firewall.allowedTCPPorts = [ 53 443 8443 9443 8080 9090 ];
     networking.firewall.allowedUDPPorts = [ 53 ];
 
-    # Route internal Metacircular zones to rift's own CoreDNS.
-    networking.nameservers = [ "192.168.88.181" ];
+    # DNS: MCNS for internal zones, public resolvers as fallback.
+    networking.nameservers = [ "192.168.88.181" "1.1.1.1" "8.8.8.8" ];
     services.resolved.domains = [ "~mcp.metacircular.net" ];
   };
 }
diff --git a/hw/straylight/default.nix b/hw/straylight/default.nix
index b7214f0..7a44f76 100644
--- a/hw/straylight/default.nix
+++ b/hw/straylight/default.nix
@@ -7,12 +7,12 @@
     ../../configs/mcpkg.nix
   ];
 
-  # Route internal Metacircular zones to rift's CoreDNS (MCNS precursor).
-  # Uses systemd-resolved domain routing so rift handles only *.mcp.metacircular.net
-  # while DHCP/Tailscale DNS handles everything else.
+  # DNS: MCNS for internal zones, public resolvers as fallback.
   networking.nameservers = [
     "192.168.88.181"
     "100.95.252.120"
+    "1.1.1.1"
+    "8.8.8.8"
   ];
   services.resolved.domains = [
     "~mcp.metacircular.net"
diff --git a/hw/vade/default.nix b/hw/vade/default.nix
index 8d48da2..d79781c 100644
--- a/hw/vade/default.nix
+++ b/hw/vade/default.nix
@@ -44,12 +44,16 @@
   # which hijacks all DNS queries through systemd-resolved.
   services.tailscale.extraUpFlags = ["--accept-dns=false"];
 
-  # Route internal Metacircular zones to rift's CoreDNS (MCNS precursor).
-  # Uses systemd-resolved domain routing so rift handles only *.mcp.metacircular.net
-  # while DHCP/Tailscale DNS handles everything else.
+  # DNS: MCNS for internal zones, public resolvers as fallback.
+  # When MCNS is down, internal names (.svc.mcp.metacircular.net) fail
+  # but external DNS keeps working via 1.1.1.1/8.8.8.8.
+  # Lesson from 2026-04-03 incident: without fallbacks, MCNS failure
+  # causes total DNS blackout including external services.
   networking.nameservers = [
-    "192.168.88.181"
-    "100.95.252.120"
+    "192.168.88.181"    # MCNS (LAN)
+    "100.95.252.120"    # MCNS (Tailnet)
+    "1.1.1.1"           # Cloudflare (fallback)
+    "8.8.8.8"           # Google (fallback)
   ];
   services.resolved.domains = [
     "~mcp.metacircular.net"