diff --git a/nixos/boxes/colony/vms/estuary/dns.nix b/nixos/boxes/colony/vms/estuary/dns.nix
index 3a2a95a..53a2e78 100644
--- a/nixos/boxes/colony/vms/estuary/dns.nix
+++ b/nixos/boxes/colony/vms/estuary/dns.nix
@@ -19,22 +19,36 @@ in
           owner = "pdns";
           group = "pdns";
         };
-        "netdata-powerdns.conf" = {
+        "colony-netdata-powerdns.conf" = {
           owner = "netdata";
           group = "netdata";
         };
+
+        "colony-pdns-recursor.conf" = {
+          owner = "pdns-recursor";
+          group = "pdns-recursor";
+        };
+        "colony-netdata-powerdns_recursor.conf" = {
+          owner = "netdata";
+          group = "netdata";
+        };
+      };
+
+      pdns.recursor = {
+        enable = true;
+        extraSettingsFile = config.age.secrets."colony-pdns-recursor.conf".path;
       };
     };
 
     services = {
       netdata = {
         configDir = {
-          "go.d/powerdns.conf" = config.age.secrets."netdata-powerdns.conf".path;
+          "go.d/powerdns.conf" = config.age.secrets."colony-netdata-powerdns.conf".path;
+          "go.d/powerdns_recursor.conf" = config.age.secrets."colony-netdata-powerdns_recursor.conf".path;
         };
       };
 
       pdns-recursor = {
-        enable = true;
         dns = {
           address = [
             "127.0.0.1" "::1"
@@ -53,6 +67,10 @@ in
           # DNS NOTIFY messages override TTL
           allow-notify-for = authZones;
           allow-notify-from = [ "127.0.0.0/8" "::1/128" ];
+
+          webserver = true;
+          webserver-address = "::";
+          webserver-allow-from = [ "127.0.0.1" "::1" ];
         };
       };
     };
diff --git a/nixos/modules/pdns.nix b/nixos/modules/pdns.nix
index d2a7a8b..43334e4 100644
--- a/nixos/modules/pdns.nix
+++ b/nixos/modules/pdns.nix
@@ -162,7 +162,17 @@ let
 
   cfg = config.my.pdns;
 
+  extraSettingsOpt = with lib.types; mkOpt' (nullOr str) null "Path to extra settings (e.g. for secrets).";
   baseAuthSettings = pkgs.writeText "pdns.conf" (settingsToLines cfg.auth.settings);
+  baseRecursorSettings = pkgs.writeText "pdns-recursor.conf" (settingsToLines config.services.pdns-recursor.settings);
+  generateSettings = type: base: dst: if (cfg."${type}".extraSettingsFile != null) then ''
+    oldUmask="$(umask)"
+    umask 006
+    cat "${base}" "${cfg."${type}".extraSettingsFile}" > "${dst}"
+    umask "$oldUmask"
+  '' else ''
+    cp "${base}" "${dst}"
+  '';
 
   namedConf = pkgs.writeText "pdns-named.conf" ''
     options {
@@ -206,7 +216,7 @@ in
     auth = {
       enable = mkBoolOpt' false "Whether to enable PowerDNS authoritative nameserver.";
       settings = mkOpt' configType { } "Authoritative server settings.";
-      extraSettingsFile = mkOpt' (nullOr str) null "Path to extra settings (e.g. for secrets).";
+      extraSettingsFile = extraSettingsOpt;
 
       bind = {
         options = {
@@ -218,6 +228,11 @@ in
         };
       };
     };
+
+    recursor = {
+      enable = mkBoolOpt' false "Whether to enable PowerDNS recursive nameserver.";
+      extraSettingsFile = extraSettingsOpt;
+    };
   };
 
   config = mkMerge [
@@ -260,14 +275,7 @@ in
 
       systemd.services.pdns = {
         preStart = ''
-          ${if (cfg.auth.extraSettingsFile != null) then ''
-            oldUmask="$(umask)"
-            umask 006
-            cat ${baseAuthSettings} ${cfg.auth.extraSettingsFile} > /run/pdns/pdns.conf
-            umask "$oldUmask"
-          '' else ''
-            cp ${baseAuthSettings} /run/pdns/pdns.conf
-          ''}
+          ${generateSettings "auth" baseAuthSettings "/run/pdns/pdns.conf"}
 
           source ${loadZonesCommon}
 
@@ -300,5 +308,17 @@ in
         enable = true;
       };
     })
+    (mkIf cfg.recursor.enable {
+      systemd.services.pdns-recursor = {
+        preStart = ''
+          ${generateSettings "recursor" baseRecursorSettings "/run/pdns-recursor/recursor.conf"}
+        '';
+        serviceConfig.ExecStart = [ "" "${pkgs.pdns-recursor}/bin/pdns_recursor --config-dir=/run/pdns-recursor" ];
+      };
+
+      services.pdns-recursor = {
+        enable = true;
+      };
+    })
   ];
 }
diff --git a/secrets/colony-netdata-powerdns.conf.age b/secrets/colony-netdata-powerdns.conf.age
new file mode 100644
index 0000000..44ebc0e
Binary files /dev/null and b/secrets/colony-netdata-powerdns.conf.age differ
diff --git a/secrets/colony-netdata-powerdns_recursor.conf.age b/secrets/colony-netdata-powerdns_recursor.conf.age
new file mode 100644
index 0000000..61cf8f8
Binary files /dev/null and b/secrets/colony-netdata-powerdns_recursor.conf.age differ
diff --git a/secrets/colony-pdns-recursor.conf.age b/secrets/colony-pdns-recursor.conf.age
new file mode 100644
index 0000000..7322257
--- /dev/null
+++ b/secrets/colony-pdns-recursor.conf.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 B9K/XQ gNJl6io3eASmXNRrcLI3fH8UqNEeT7vbCVfks9D153g
+/APb0O9268pftfeV5XY1E4CcKrCBAO69sVUBM82cmvE
+-> X25519 xskN26oeA5X3rvevlBvyzz/fylb1SINSR09B+DMvSCo
+hk5wowfDfxjlFjQKGLwOfA/bgB2cuHR1En9hLtGcsEk
+-> sK$y-grease `L hNh
+RvgnmIYLnlj6Xzs4YWg40UXHPJrnRHzR/c+X1bg5Qby/Zg
+--- 8IqpUilyXUPSp+KdSCCOBN3GRWtciEjmi1bxzzTmC78
+[ðÛÿ?¹‹RßNã•vÉÝO£5yÅ¬?+XBê;~¬ˆ±Ú!–uú‘“ýX»¥mŽ95Š?UáD¨Äª‹u”pÍžÙÑ„_hcò
\ No newline at end of file
diff --git a/secrets/netdata-powerdns.conf.age b/secrets/netdata-powerdns.conf.age
deleted file mode 100644
index 3223896..0000000
--- a/secrets/netdata-powerdns.conf.age
+++ /dev/null
@@ -1,10 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 B9K/XQ UynBAIths3H37dT79pa0u5l7rdlZrUhmXXipKam3iF0
-tJdtGeonlTjSSPFyaIcfr1q9QeV5Xwl/lL1pNEXeDJ0
--> X25519 Ti5W6oqKAoeBCBRl2yO2KtWX+Rh/brhJWJzidCY8c20
-xiDfEPLJ04LP9r8QV7AroNnJME5YLy77Sulb28HiX88
--> $T!haUSN-grease '| TTM< *N-o8 qX
-4+glmJsXO4qHrxsr7TICzTG/MLYXbbs
---- W2GcnWdHA9WN6Y1EtlNPClM5WeEU3TcybzUXTtiIKXc
-ýÇ-_½,­m€IE|º§ÿ‡ßŽ=NñÿûäŠ¨ßñ#KæqæD®&w¹=\8	Ÿ¯ÉîÅù~q!þö±¦Rª•L0šw]°ŽÔ™³ÎžðìR…§’Ž¿a&aVÕ´|,ûZT8¬Ñ}üVáâhÙ›t@V5¨¬²S!s¾"[ôò{c
-ªÄÖ•¨Êhcþ™Ð°åÖ
\ No newline at end of file