diff --git a/nixos/modules/services/networking/dnscache.nix b/nixos/modules/services/networking/dnscache.nix
index f782be97f6fa..379203cd1ab6 100644
--- a/nixos/modules/services/networking/dnscache.nix
+++ b/nixos/modules/services/networking/dnscache.nix
@@ -18,10 +18,13 @@ let
       '') ips}
     '') cfg.domainServers)}
 
-    # djbdns contains an outdated list of root servers;
-    # if one was not provided in config, provide a current list
-    if [ ! -e servers/@ ]; then
-      awk '/^.?.ROOT-SERVERS.NET/ { print $4 }' ${pkgs.dns-root-data}/root.hints > $out/servers/@
+    # if a list of root servers was not provided in config, copy it
+    # over. (this is also done by dnscache-conf, but we 'rm -rf
+    # /var/lib/dnscache/root' below & replace it wholesale with this,
+    # so we have to ensure servers/@ exists ourselves.)
+    if [ ! -e $out/servers/@ ]; then
+      # symlink does not work here, due chroot
+      cp ${pkgs.djbdns}/etc/dnsroots.global $out/servers/@;
     fi
   '';
 
diff --git a/pkgs/tools/networking/djbdns/default.nix b/pkgs/tools/networking/djbdns/default.nix
index 178d27f20184..b8a7133e7bc7 100644
--- a/pkgs/tools/networking/djbdns/default.nix
+++ b/pkgs/tools/networking/djbdns/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, glibc } :
+{ stdenv, fetchurl, glibc, dns-root-data } :
 
 let
   version = "1.05";
@@ -23,6 +23,8 @@ stdenv.mkDerivation {
   postPatch = ''
     echo gcc -O2 -include ${glibc.dev}/include/errno.h > conf-cc
     echo $out > conf-home
+    # djbdns ships with an outdated list of root servers
+    awk '/^.?.ROOT-SERVERS.NET/ { print $4 }' ${dns-root-data}/root.hints > dnsroots.global
     sed -i "s|/etc/dnsroots.global|$out/etc/dnsroots.global|" dnscache-conf.c
   '';