diff --git a/hw/vade/default.nix b/hw/vade/default.nix
index c00b67a..f57d09c 100644
--- a/hw/vade/default.nix
+++ b/hw/vade/default.nix
@@ -40,30 +40,14 @@
     ''
   ];
 
-  # Internal Metacircular service addresses via /etc/hosts.
-  networking.hosts = {
-    "100.95.252.120" = [
-      "metacrypt.svc.mcp.metacircular.net"
-      "mcr.svc.mcp.metacircular.net"
-      "mcp-agent.svc.mcp.metacircular.net"
-      "rift.mcp.metacircular.net"
-    ];
-  };
-
-  # Tailscale sets ~. (catch-all) on tailscale0, which hijacks all DNS
-  # queries — even when Tailscale is disconnected. Replace it with a
-  # specific routing domain so normal DNS resolution works.
-  systemd.services.fix-tailscale-dns = {
-    description = "Remove Tailscale DNS catch-all routing";
-    after = [ "network-online.target" "tailscaled.service" ];
-    wants = [ "network-online.target" ];
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    script = ''
-      ${pkgs.systemd}/bin/resolvectl domain tailscale0 ~scylla-hammerhead.ts.net
-    '';
-  };
+  # Route internal Metacircular zones to rift's CoreDNS (MCNS precursor).
+  # Uses systemd-resolved domain routing so rift handles only *.mcp.metacircular.net
+  # while DHCP/Tailscale DNS handles everything else.
+  networking.nameservers = [
+    "192.168.88.181"
+    "100.95.252.120"
+  ];
+  services.resolved.domains = [
+    "~mcp.metacircular.net"
+  ];
 }