diff --git a/Puppetfile b/Puppetfile
index fda7e8a..06bdf6b 100644
--- a/Puppetfile
+++ b/Puppetfile
@@ -27,6 +27,7 @@ mod 'puppet-selinux', '4.1.0'
 # other
 mod 'ghoneycutt-puppet', '3.3.0'
 mod 'saz-sudo', '8.0.0'
+mod 'dalen-puppetdbquery', '3.0.1'
 
 mod 'bind',
   :git => 'https://git.unkin.net/unkinben/puppet-bind.git',
diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index dce34c8..dcf2885 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -7,6 +7,7 @@ profiles::base::puppet_servers:
   - 'prodinf01n01.main.unkin.net'
 
 profiles::dns::master::basedir: '/var/named/sources'
+profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
 
 profiles::packages::base:
   - bash-completion
diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp
index 1182097..9abb043 100644
--- a/site/profiles/manifests/base.pp
+++ b/site/profiles/manifests/base.pp
@@ -29,9 +29,7 @@ class profiles::base (
   include profiles::base::hosts
   include profiles::accounts::sysadmin
   include profiles::ntp::client
-
-  # configure dns records for client
-  profiles::dns::client {"${facts['networking']['fqdn']}-default":}
+  include profiles::dns::base
 
   # include the python class
   class { 'python':
diff --git a/site/profiles/manifests/dns/base.pp b/site/profiles/manifests/dns/base.pp
new file mode 100644
index 0000000..6510453
--- /dev/null
+++ b/site/profiles/manifests/dns/base.pp
@@ -0,0 +1,31 @@
+# profiles::dns::base
+class profiles::dns::base (
+  String $ns_role = undef,
+  Array  $search  = [],
+  Array  $nameservers = ['8.8.8.8', '1.1.1.1'],
+){
+
+  # if ns_role is set, find all hosts matching that enc_role
+  if $ns_role == undef {
+    $nameserver_array = $nameservers
+  }else{
+    $nameserver_array = query_nodes("enc_role='${ns_role}'", 'networking.ip')
+  }
+
+  # if search is undef, fallback to domainname from facts
+  if $search == [] {
+    $search_array = [$::facts['networking']['domain']]
+  }else{
+    $search_array = $search
+  }
+
+  # include resolvconf class
+  class { 'profiles::dns::resolvconf':
+    nameservers    => $nameserver_array,
+    search_domains => $search_array,
+  }
+
+  # export dns records for client
+  profiles::dns::client {"${facts['networking']['fqdn']}-default":}
+
+}
diff --git a/site/profiles/manifests/dns/client.pp b/site/profiles/manifests/dns/client.pp
index 1441299..3dca748 100644
--- a/site/profiles/manifests/dns/client.pp
+++ b/site/profiles/manifests/dns/client.pp
@@ -1,8 +1,8 @@
 # profiles::dns::client
 define profiles::dns::client (
-  Boolean   $forward = true,
-  Boolean   $reverse = true,
-  Integer   $order   = 10,
+  Boolean   $forward    = true,
+  Boolean   $reverse    = true,
+  Integer   $order      = 10,
 ){
 
   $intf = $facts['networking']['primary']
diff --git a/site/profiles/manifests/dns/resolvconf.pp b/site/profiles/manifests/dns/resolvconf.pp
new file mode 100644
index 0000000..e8b44c9
--- /dev/null
+++ b/site/profiles/manifests/dns/resolvconf.pp
@@ -0,0 +1,14 @@
+# profiles::dns::resolvconf
+class profiles::dns::resolvconf (
+  Array[String] $nameservers,
+  Array[String] $search_domains,
+) {
+
+  file { '/etc/resolv.conf':
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => template('profiles/dns/resolvconf.erb'),
+  }
+}
diff --git a/site/profiles/templates/dns/resolvconf.erb b/site/profiles/templates/dns/resolvconf.erb
new file mode 100644
index 0000000..f0a91c8
--- /dev/null
+++ b/site/profiles/templates/dns/resolvconf.erb
@@ -0,0 +1,7 @@
+# Managed by Puppet
+<% @nameservers.each do |ns| -%>
+nameserver <%= ns %>
+<% end -%>
+<% unless @search_domains.empty? -%>
+search <%= @search_domains.join(' ') %>
+<% end -%>