{
  lib,
  config,
  ...
}: let
in {
  services.bind = {
    enable = true;
    forward = "only";
    forwarders = [
      "1.1.1.1 port 53"
      "1.1.0.0 port 53"
    ];

    directory = "/var/lib/bind";

    cacheNetworks = [
      "10.1.0.0/19"
      "192.168.1.0/24"
    ];

    extraConfig = ''
      logging {
        channel stderr_chan {
          print-category yes;
          print-severity yes;

          severity dynamic;

          stderr;
        };
        ${lib.concatMapStringsSep "\n" (category: "category ${category} { stderr_chan; };")
        [
          "client"
          "cname"
          "config"
          "database"
          "default"
          "dispatch"
          "dnssec"
          "dnstap"
          "edns-disabled"
          "general"
          "lame-servers"
          "network"
          "notify"
          "nsid"
          "queries"
          "query-errors"
          "rate-limit"
          "resolver"
          "rpz"
          "rpz-passthru"
          "security"
          "serve-stale"
          "spill"
          "sslkeylog"
          "trust-anchor-telemetry"
          "unmatched"
          "update"
          "update-security"
          "xfer-in"
          "xfer-out"
          "zoneload"
        ]}
      };
    '';
    extraOptions = ''
      dnssec-validation auto;
      max-cache-size 512M;
      max-ncache-ttl 1M;
      allow-query-cache { cachenetworks; };

    '';
  };

  systemd.services.bind.serviceConfig = {
    StandardError = "journal";
  };
}