diff --git a/roles/float-base-dns-resolver/defaults/main.yml b/roles/float-base-dns-resolver/defaults/main.yml
index bbe15054c0b289fb285a067785b9b656f861e24d..1eab7fa8cc91378fc3fe1108d0d61c8e308f2ba6 100644
--- a/roles/float-base-dns-resolver/defaults/main.yml
+++ b/roles/float-base-dns-resolver/defaults/main.yml
@@ -1,7 +1,5 @@
-# How to configure resolv.conf, one of the following options:
-# 'ignore' - do nothing and leave resolv.conf alone
-# 'localhost' - use localhost as the name server (presumably a cache)
-# 'internal:NET' - use the frontend hosts as resolvers, over the
-#   specified overlay network NET
-# 'external' - use Google Public DNS.
-resolver_mode: "ignore"
+resolver:
+  # Mode should be one of 'internal', 'default'.
+  mode: internal
+  service: frontend
+  overlay_network: vpn0
diff --git a/roles/float-base-dns-resolver/handlers/main.yml b/roles/float-base-dns-resolver/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..46ee32c5b8451cb2c590597082812ec01b6726d6
--- /dev/null
+++ b/roles/float-base-dns-resolver/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+
+- listen: reload dnsmasq
+  command: "systemctl reload dnsmasq.service"
diff --git a/roles/float-base-dns-resolver/tasks/main.yml b/roles/float-base-dns-resolver/tasks/main.yml
index 08c88d5064c4e608424153a92b6416bcaf11693a..98fdc9d87fe72857f19eb94d4d117c4282a97780 100644
--- a/roles/float-base-dns-resolver/tasks/main.yml
+++ b/roles/float-base-dns-resolver/tasks/main.yml
@@ -1,7 +1,7 @@
 ---
 
-- name: Configure resolv.conf
+- name: Configure upstream resolver for dnsmasq
   template:
-    src: "resolv.conf.j2"
-    dest: "/etc/resolv.conf"
-  when: "resolver_mode != 'ignore'"
+    src: "dnsmasq.conf.j2"
+    dest: "/etc/dnsmasq.conf"
+  notify: reload dnsmasq
diff --git a/roles/float-base-dns-resolver/templates/dnsmasq.conf.j2 b/roles/float-base-dns-resolver/templates/dnsmasq.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..c6fa80a02d3d3aa87f9d357340e6b347fba57d56
--- /dev/null
+++ b/roles/float-base-dns-resolver/templates/dnsmasq.conf.j2
@@ -0,0 +1,10 @@
+{% if resolver.mode == 'internal' %}
+{% set dns_overlay_net = resolver.get('overlay_network', net_overlays[0].name) %}
+{% set dns_service_group = services[resolver.get('service', 'frontend')].group_name %}
+{% for h in groups[dns_service_group] | sort %}
+server={{ hostvars[h]['ip_' + dns_overlay_net] }}
+{% endfor %}
+{% else %}
+server=8.8.8.8
+server=8.8.4.4
+{% endif %}
diff --git a/roles/float-base-dns-resolver/templates/resolv.conf.j2 b/roles/float-base-dns-resolver/templates/resolv.conf.j2
deleted file mode 100644
index 515fb0cbdcf16f3e2d136f79102d6d4e033e4a42..0000000000000000000000000000000000000000
--- a/roles/float-base-dns-resolver/templates/resolv.conf.j2
+++ /dev/null
@@ -1,15 +0,0 @@
-{% if resolver_mode == 'localhost' %}
-nameserver 127.0.0.1
-options edns0
-{% elif resolver_mode.startswith('internal:') %}
-{% set dns_overlay_net = resolver_mode[9:] %}
-{% for h in services['dns'].hosts | sort %}
-nameserver {{ hostvars[h]['ip_' + dns_overlay_net] }}
-{% endfor %}
-options edns0 rotate
-{% else %}
-nameserver 8.8.8.8
-nameserver 8.8.4.4
-options edns0
-{% endif %}
-