diff --git a/roles/base/files/etc/systemd/system/update-ffhl-dns.service b/roles/base/files/etc/systemd/system/update-ffhl-dns.service
index 15af577b4ff594da20759f230d208cc28a62ceac..2fe576323de40d49df75fdc9ed8a5c0bab0d25dc 100644
--- a/roles/base/files/etc/systemd/system/update-ffhl-dns.service
+++ b/roles/base/files/etc/systemd/system/update-ffhl-dns.service
@@ -1,4 +1,3 @@
 [Service]
 Type=oneshot
-WorkingDirectory=/var/local/ffhl-dns
-ExecStart=/usr/bin/git pull
+ExecStart=/usr/local/lib/ffhl/update-dns.sh
\ No newline at end of file
diff --git a/roles/base/files/scripts/update-dns.sh b/roles/base/files/scripts/update-dns.sh
new file mode 100644
index 0000000000000000000000000000000000000000..35bd5598b8362c2034c61aefe1ca3ea23038252c
--- /dev/null
+++ b/roles/base/files/scripts/update-dns.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+set -e
+
+DIR=$(mktemp -d)
+DEST=/var/lib/powerdns/zones
+REPO=https://git.luebeck.freifunk.net/FreifunkLuebeck/ffhl-dns.git
+
+mkdir -p "$DEST"
+git clone "$REPO" "$DIR"
+git --git-dir="$DIR/.git" --work-tree="$DEST" reset --hard
+
+rm -rf $DIR
+
+pdns_control reload
\ No newline at end of file
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 2a4590b56d6a36a0b6d9141175a205180ea8c3c0..15e810404c592b2035044b0e7c9e1a1ca38b40e2 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -1,8 +1,16 @@
 ---
-
 - name: copy base configs
   tags: [base, etc, apt, powerdns]
-  copy: src=etc/ dest=/etc
+  copy:
+    src: etc/
+    dest: /etc
+
+- name: copy scripts
+  tags: [base, powerdns]
+  copy:
+    src: scripts/
+    dest: /usr/local/lib/ffhl/
+    mode: a+x
 
 - name: install packages
   include: software.yml
@@ -26,7 +34,6 @@
     apply:
       tags: [base]
 
-
 - name: Disable root login with password
   tags: [base]
   lineinfile: dest=/etc/ssh/sshd_config regexp="^#?PermitRootLogin" line="PermitRootLogin without-password"
@@ -34,7 +41,6 @@
 - name: reload sysctl
   command: sysctl -p --system
 
-
 - name: add freifunk routing table
   tags: [network]
   lineinfile:
@@ -45,8 +51,6 @@
   copy: src=host/{{ inventory_hostname }}/etc/ dest=/etc
   tags: [bird]
 
-
-
 - name: networkd templates
   tags: [systemd-networkd]
   block:
@@ -59,7 +63,6 @@
         state: restarted
         name: systemd-networkd
 
-
 - name: template iptables
   tags: [iptables, network]
   block:
@@ -70,7 +73,6 @@
         state: restarted
         name: netfilter-persistent.service
 
-
 # sometimes disabled (dunno why)
 - name: enable systemd-networkd
   tags: [network]
@@ -78,7 +80,6 @@
     enabled: yes
     name: systemd-networkd
 
-
 - name: mesh-vpn
   tags: [fastd, mesh-vpn]
   include: mesh-vpn.yml
@@ -87,13 +88,11 @@
   tags: [gwvpn, fastd]
   include: gwvpn.yml
 
-
 - name: reload systemd
   systemd:
     daemon_reload: yes
 
 
-
 - include: radvd.yml
   tags: [network, radvd]
 - include: dhcpd.yml
@@ -101,7 +100,6 @@
 - include: powerdns.yml
   tags: [powerdns, network]
 
-
 - include: bird.yml
   tags: [bird]