diff --git a/setup/dns.sh b/setup/dns.sh
index 5d86227a..36086108 100755
--- a/setup/dns.sh
+++ b/setup/dns.sh
@@ -10,17 +10,13 @@
 source setup/functions.sh # load our functions
 source /etc/mailinabox.conf # load global vars
 
-# Install the packages.
-#
-# * nsd: The non-recursive nameserver that publishes our DNS records.
-# * ldnsutils: Helper utilities for signing DNSSEC zones.
-# * openssh-client: Provides ssh-keyscan which we use to create SSHFP records.
-echo "Installing nsd (DNS server)..."
-apt_install nsd ldnsutils openssh-client
-
 # Prepare nsd's configuration.
-
+# We configure nsd before installation as we only want it to bind to some addresses
+# and it otherwise will have port / bind conflicts with bind9 used as the local resolver
 mkdir -p /var/run/nsd
+mkdir -p /etc/nsd
+mkdir -p /etc/nsd/zones
+touch /etc/nsd/zones.conf
 
 cat > /etc/nsd/nsd.conf << EOF;
 # Do not edit. Overwritten by Mail-in-a-Box setup.
@@ -40,6 +36,15 @@ server:
   # See https://www.nlnetlabs.nl/projects/nsd/nsd.conf.5.html.
   ip-transparent: yes
 
+  # Since we have bind9 listening on localhost for locally-generated
+  # DNS queries that require a recursive name server, and the system
+  # might have other network interfaces for e.g. tunnelling, we have
+  # to be specific about the network interfaces that nsd binds to.
+  ${PRIVATE_IP:+ip-address: $PRIVATE_IP}
+  ${PRIVATE_IPV6:+ip-address: $PRIVATE_IPV6}
+
+# Zones created and edited via the management interface get written here
+include: /etc/nsd/zones.conf
 EOF
 
 # Add log rotation
@@ -54,15 +59,13 @@ cat > /etc/logrotate.d/nsd <<EOF;
 }
 EOF
 
-# Since we have bind9 listening on localhost for locally-generated
-# DNS queries that require a recursive nameserver, and the system
-# might have other network interfaces for e.g. tunnelling, we have
-# to be specific about the network interfaces that nsd binds to.
-for ip in $PRIVATE_IP $PRIVATE_IPV6; do
-	echo "  ip-address: $ip" >> /etc/nsd/nsd.conf;
-done
-
-echo "include: /etc/nsd/zones.conf" >> /etc/nsd/nsd.conf;
+# Install the packages.
+#
+# * nsd: The non-recursive nameserver that publishes our DNS records.
+# * ldnsutils: Helper utilities for signing DNSSEC zones.
+# * openssh-client: Provides ssh-keyscan which we use to create SSHFP records.
+echo "Installing nsd (DNS server)..."
+apt_install nsd ldnsutils openssh-client
 
 # Create DNSSEC signing keys.
 
diff --git a/setup/system.sh b/setup/system.sh
index 0e7c85ad..c5b6838d 100755
--- a/setup/system.sh
+++ b/setup/system.sh
@@ -309,14 +309,15 @@ fi #NODOC
 #
 # About the settings:
 #
-# * Adding -4 to OPTIONS will have `bind9` not listen on IPv6 addresses
-#   so that we're sure there's no conflict with nsd, our public domain
-#   name server, on IPV6.
+# * Changing listen-on-v6 to `none` from `any` will stop `bind9` from listen on IPv6 addresses
+#   so that we're sure there's no conflict with nsd, our public domain name server, on IPV6.
 # * The listen-on directive in named.conf.options restricts `bind9` to
 #   binding to the loopback interface instead of all interfaces.
 apt_install bind9
-tools/editconf.py /etc/default/bind9 \
-	"OPTIONS=\"-u bind -4\""
+tools/editconf.py /etc/bind/named.conf.options \
+	-s -c '//' \
+	'	listen-on-v6={ none; };'
+# Unable to use editconfig.py here as `listen-on` should go inside the options `{}` block
 if ! grep -q "listen-on " /etc/bind/named.conf.options; then
 	# Add a listen-on directive if it doesn't exist inside the options block.
 	sed -i "s/^}/\n\tlisten-on { 127.0.0.1; };\n}/" /etc/bind/named.conf.options